[rb-general] Checking Reproducible Build for a Maven project
Hans-Christoph Steiner
hans at guardianproject.info
Thu Dec 19 10:35:27 UTC 2019
Another thing I'd like to add:
I have found that in the process of trying to reproduce builds on a
rebuilder, there are various issues that come up due to the build
dependencies. I have found one helpful way to work through those is to
build the library with the various build tools. I think it is
feasible to get multiple build systems making the exact same files, when
the library is a plain collection of Java classes.
The sad side is that it seems that the reproducibility of JARs is quite
sensitive to which JDK/version was used to build it, even if they are
all all set to generate Java8 bytecode.
.hc
Hans-Christoph Steiner:
>
> More progress! The jtorctl library that we hacked on in Marrakesh is
> now published using Maven with a .buildinfo file:
>
> https://repo1.maven.org/maven2/info/guardianproject/jtorctl/0.4/
>
> .hc
>
> Hans-Christoph Steiner:
>>
>> After working with Maven and Bazel devs at the summit, I wanted to
>> follow up to keep the buildinfo work moving. I have buildinfo
>> generation working with gradle, and it is now working in Maven plugins.
>> I'd heard it was working with Bazel, but I haven't seen it yet.
>>
>> The JARs produced with Maven and Gradle now only differ in the sort
>> order of files in the ZIP header. `mvn deploy` even pushes the
>> buildinfo file to the maven repo:
>> https://gitlab.com/eighthave/jtorctl/-/packages/59404
>>
>> In this process, I found a small bug in maven archiver, which puts the
>> META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP:
>> https://issues.apache.org/jira/browse/MSHARED-849
>>
>> .hc
>>
>
--
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556
More information about the rb-general
mailing list