Reproducibility for Java
Roland Clobus
rclobus at rclobus.nl
Fri Nov 8 16:40:03 UTC 2024
Hello list,
I'm tracing a non-reproducibility issue in the Debian package
ca-certificates-java for the Debian Junior live image.
It embeds timestamps for 'now' in /etc/ssl/certs/java/cacerts.
The proposed solution at [1] does not work, the deeper code has 'new
Date()' in several places.
To solve the issue I have several options:
* Remove the offending file from the live image and generate it again at
runtime -> makes the ISO image reproducible, but does not improve the
infrastructure
* Run the command that generates this file in a faketime environment
(the value for SOURCE_DATE_EPOCH is ignored)
* Propose changes to Java at higher level, i.e. fixing
sun.security.provider.JavaKeyStore [2] at several places
* Propose changes to Java in JavaKeyStore to stop using 'now' but
instead the timestamp of the files of the certificate
* Propose changes to Java at a deep level, i.e. fixing the class
java.util.Date [3]
There are already some SOURCE_DATE_EPOCH uses in Java, but mainly for
build Java and Javadoc [4].
What strategy would you propose? Should production runtime environments
be sensitive to SOURCE_DATE_EPOCH (instead of during building)?
With kind regards,
Roland Clobus
[1]
https://stackoverflow.com/questions/2001671/override-java-system-currenttimemillis-for-testing-time-sensitive-code
[2]
https://sources.debian.org/src/openjdk-23/23.0.1+11-1/src/java.base/share/classes/sun/security/provider/JavaKeyStore.java/?hl=381#L381
[3]
https://sources.debian.org/src/openjdk-23/23.0.1+11-1/src/java.base/share/classes/java/util/Date.java/?hl=162#L162
[4]
https://codesearch.debian.net/search?q=package%3Aopenjdk-23+SOURCE_DATE_EPOCH
More information about the rb-general
mailing list