Reproducible builds on Java
John Neffenger
john at status6.com
Tue Sep 7 21:04:18 UTC 2021
On 9/6/21 2:17 AM, Magnus Ihse Bursie wrote:
> But a larger issue than OpenJDK itself is to make sure that the tools
> from the JDK are creating reproducible builds for all Java projects out
> there.
> If anyone from the reproducible builds community has something to add to the discussion, now is the time to make your voice heard.
The only remaining issue in the JDK tools preventing reproducible builds
of JavaFX are the non-deterministic JMOD archives. See here for details:
8264449: Enable reproducible builds with SOURCE_DATE_EPOCH
https://github.com/openjdk/jfx/pull/446
For now, the JMOD archives are normalized with 'strip-nondeterminism' as
follows:
$ strip-nondeterminism -v -T $SOURCE_DATE_EPOCH build/jmods/*.jmod
When the creation of the JMOD files are deterministic, we won't need
this extra step. Furthermore, the build environment I use doesn't have
the most recent version of 'strip-nondeterminism' with the JMOD support,
so getting the change into the 'jmod' tool would help a lot.
Note that JavaFX uses Gradle to build the other JAR and ZIP archives, so
we bypass any non-determinism that might still be present in the 'jar'
tool. Gradle cannot yet build the JMOD archives, though, so we depend on
the 'jmod' tool directly. See:
Reproducible builds
https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Thanks,
John
More information about the rb-general
mailing list