[rb-general] Checking Reproducible Build for a Maven project

Hans-Christoph Steiner hans at guardianproject.info
Thu Dec 19 10:35:27 UTC 2019

Another thing I'd like to add:

I have found that in the process of trying to reproduce builds on a
rebuilder, there are various issues that come up due to the build
dependencies.  I have found one helpful way to work through those is to
build the library with the various build tools.  I think it is
feasible to get multiple build systems making the exact same files, when
the library is a plain collection of Java classes.

The sad side is that it seems that the reproducibility of JARs is quite
sensitive to which JDK/version was used to build it, even if they are
all all set to generate Java8 bytecode.


Hans-Christoph Steiner:
> More progress!  The jtorctl library that we hacked on in Marrakesh is
> now published using Maven with a .buildinfo file:
> https://repo1.maven.org/maven2/info/guardianproject/jtorctl/0.4/
> .hc
> Hans-Christoph Steiner:
>> After working with Maven and Bazel devs at the summit,  I wanted to
>> follow up to keep the buildinfo work moving.  I have buildinfo
>> generation working with gradle, and it is now working in Maven plugins.
>>  I'd heard it was working with Bazel, but I haven't seen it yet.
>> The JARs produced with Maven and Gradle now only differ in the sort
>> order of files in the ZIP header.  `mvn deploy` even pushes the
>> buildinfo file to the maven repo:
>> https://gitlab.com/eighthave/jtorctl/-/packages/59404
>> In this process, I found a small bug in maven archiver, which puts the
>> META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP:
>> https://issues.apache.org/jira/browse/MSHARED-849
>> .hc

PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556

More information about the rb-general mailing list