[rb-general] [jvm] introducing reproducible-central
Hervé Boutemy
hboutemy at apache.org
Thu Jan 17 10:04:01 CET 2019
Hi,
After the work on jvm buildinfo [1], the discussion on rebuilder attestations
showed that Maven central could be seen as some sort of Linux distribution: it
has some specific aspects (multi-platform, multi-version for each project),
but it shares the fact that someone must write a rebuild specification for
everything to be able to automatically execute rebuilds, and these rebuilds
will generate buildinfo.
Then I tried to create such rebuild specification for a few interesting
projects, from the most basic to some complex cases I don't know really how to
deal with...
You'll find the result as a "reproducible-central" Git repository [2].
There are already interesting findings that I tried to document in the README:
- target JDK or minimum JDK are not important: effective JDK major version
used to build the artifact published to Central is what really counts, since
the bytecode from different major JDK version is different, then not
reproducible. And effective JDK can just be measured from binary published in
Central, it's not really a specification of the project and often varies from
version to version without real logic...
- some artifacts are built on Windows, which introduces specific variations
- rebuild instructions are not fully generic, they will really have to be
handwritten to match each project...
Then getting checked reproducible content in Central will not be easy: it's
now not just a fear, it's based on facts.
If you want to contribute (for example for other build tools than Maven, or
another repository...), don't hesitate and contact me: I created a Github
dedicated organization to manage contributions.
I wrote rebuild instructions and tested a few by hand on a few versions,
testing with diffoscope how much the binary artifacts were different from the
reference pushed in Central, but I did not automate anything: help wanted. I'd
really be interested to automate a full rebuild of any project with a report
on found differences.
Regards,
Hervé
[1] https://reproducible-builds.org/docs/jvm/
[2] https://github.com/jvm-repo-rebuild/reproducible-central
More information about the rb-general
mailing list