[rb-general] Checking Reproducible Build for a Maven project
hans at guardianproject.info
Thu Dec 19 10:35:27 UTC 2019
Another thing I'd like to add:
I have found that in the process of trying to reproduce builds on a
rebuilder, there are various issues that come up due to the build
dependencies. I have found one helpful way to work through those is to
build the library with the various build tools. I think it is
feasible to get multiple build systems making the exact same files, when
the library is a plain collection of Java classes.
The sad side is that it seems that the reproducibility of JARs is quite
sensitive to which JDK/version was used to build it, even if they are
all all set to generate Java8 bytecode.
> More progress! The jtorctl library that we hacked on in Marrakesh is
> now published using Maven with a .buildinfo file:
> Hans-Christoph Steiner:
>> After working with Maven and Bazel devs at the summit, I wanted to
>> follow up to keep the buildinfo work moving. I have buildinfo
>> generation working with gradle, and it is now working in Maven plugins.
>> I'd heard it was working with Bazel, but I haven't seen it yet.
>> The JARs produced with Maven and Gradle now only differ in the sort
>> order of files in the ZIP header. `mvn deploy` even pushes the
>> buildinfo file to the maven repo:
>> In this process, I found a small bug in maven archiver, which puts the
>> META-INF/ dir entry after the META-INF/MANIFEST.MF entry in the ZIP:
PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556
More information about the rb-general