Unreproducible Tomacat Issue

[John Neffenger]

On 11/12/22 4:32 AM, Roland Clobus wrote:
> Take a look at the difference in tomcat9:
> https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/tomcat9.html

I found it: Tomcat uses a tool called "bnd" to generate its 
'module-info.class' files, but there was a bug in bnd that made those 
files nondeterministic.

That bug was fixed in March 2022 for bnd version 6.3.0:

module-info.class is not generated in a repeatable manner
https://github.com/bndtools/bnd/issues/5183

Debian is building Tomcat 9 using bnd version 5.0.1, as found here:

https://tests.reproducible-builds.org/debian/buildinfo/unstable/amd64/tomcat9_9.0.68-1.1_amd64.buildinfo

The latest build of Tomcat uses bnd version 6.3.1 and does not have this 
problem.

By the way, the fix below makes it so that a normal build of Tomcat 
using its default Ant target is reproducible independent of the time of 
the build:

Allow reproducible builds of all JDBC JAR files
https://github.com/apache/tomcat/pull/566

Now the only remaining difference that I can find between any two builds 
of Tomcat is the build path that gets included in two XML files:

$ diff -qr lxd/output1 kvm/output1
Files lxd/output1/jdbc-pool/doc/changelog.xml and 
kvm/output1/jdbc-pool/doc/changelog.xml differ
Files lxd/output1/jdbc-pool/doc/jdbc-pool.xml and 
kvm/output1/jdbc-pool/doc/jdbc-pool.xml differ

$ diff -r lxd/output1 kvm/output1
diff -r lxd/output1/jdbc-pool/doc/changelog.xml 
kvm/output1/jdbc-pool/doc/changelog.xml
19c19
<   <!ENTITY project SYSTEM 
"/home/ubuntu/src/tomcat/modules/jdbc-pool/includes/project.xml">
---
 >   <!ENTITY project SYSTEM 
"/home/john/src/tomcat/modules/jdbc-pool/includes/project.xml">
diff -r lxd/output1/jdbc-pool/doc/jdbc-pool.xml 
kvm/output1/jdbc-pool/doc/jdbc-pool.xml
19c19
<   <!ENTITY project SYSTEM 
"/home/ubuntu/src/tomcat/modules/jdbc-pool/includes/project.xml">
---
 >   <!ENTITY project SYSTEM 
"/home/john/src/tomcat/modules/jdbc-pool/includes/project.xml">

John