Reproducible Arch Linux in 2024/Q1 (irregular status update)

[John Neffenger]

On 3/12/24 4:04 PM, kpcyrd wrote:
> 3) Timestamps embedded in .jar files (unreproducible zip files are a big 
> thing for some reason).

Many of you may already know this, but just in case ... there is now 
support in Apache Maven, Gradle, and the JDK itself to normalize the 
timestamps in JAR files.

MAVEN
==========
Source the following Bash file, for example:

   #!/bin/bash
   # Source this file for reproducible builds
   SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
   export SOURCE_DATE_EPOCH

Then run 'mvn clean install' with the following property in the 
'pom.xml' file:

   <properties>
       <project.build.outputTimestamp>
           ${env.SOURCE_DATE_EPOCH}
       </project.build.outputTimestamp>
   </properties>

GRADLE
==========
Set the following properties for the Zip Task that creates the JAR file:

   // Normalizes the ZIP and JAR archives
   tasks.withType(Zip) {
       preserveFileTimestamps = false
       reproducibleFileOrder = true
   }

JDK
==========
Builds of OpenJDK version 18 or later support the following new option 
in the 'jar' and 'jmod' commands:

   --date=TIMESTAMP
       The timestamp in ISO-8601 extended offset date-time with optional
       time-zone format, to use for the timestamp of the entries,
       e.g. "2022-02-12T12:30:00-05:00".

John