Reproducible builds on Java
John Neffenger
john at neffenger.ca
Tue Sep 7 21:01:54 UTC 2021
On 9/6/21 2:17 AM, Magnus Ihse Bursie wrote:
> But a larger issue than OpenJDK itself is to make sure that the tools from the JDK are creating reproducible builds for all Java projects out there.
> If anyone from the reproducible builds community has something to add to
> the discussion, now is the time to make your voice heard.
The only remaining issue in the JDK tools preventing reproducible builds
of JavaFX are the non-deterministic JMOD archives. See here for details:
8264449: Enable reproducible builds with SOURCE_DATE_EPOCH
https://github.com/openjdk/jfx/pull/446
For now, the JMOD archives are normalized with 'strip-nondeterminism' as
follows:
$ strip-nondeterminism -v -T $SOURCE_DATE_EPOCH build/jmods/*.jmod
When the creation of the JMOD files are deterministic, we won't need
this extra step. Furthermore, the build environment I use doesn't have
the most recent version of 'strip-nondeterminism' with the JMOD support,
so getting the change into the 'jmod' tool would help a lot.
Note that JavaFX uses Gradle to build the other JAR and ZIP archives, so
we bypass any non-determinism that might still be present in the 'jar'
tool. Gradle cannot yet build the JMOD archives, though, so we depend on
the 'jmod' tool directly. See:
Reproducible builds
https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Thanks,
John
More information about the rb-general
mailing list