Reproducibility for Java

Andrew Leonard anleonar at redhat.com
Wed Nov 13 14:57:55 UTC 2024 

Hi,

Fyi, OpenJDK build itself does not actually use "keytool" itself, as it has
some determinism issues, but also
doesn't quite do exactly what is required for the cacerts store creation.
OpenJDK uses it's own GenerateCacerts
tool:
https://github.com/openjdk/jdk21u/blob/master/make/jdk/src/classes/build/tools/generatecacerts/GenerateCacerts.java
I did open a bug a while back to report the keytool issues, but is was
closed as not an issue... https://bugs.openjdk.org/browse/JDK-8278157

With regards the build of OpenJDK as a whole, it is fully Reproducible, we
produce identical Temurin JDKs at Eclipse Adoptium.

Cheers
Andrew


On Wed, Nov 13, 2024 at 2:25 PM Chris Lamb <chris at reproducible-builds.org>
wrote:

> Roland Clobus wrote:
>
> > After the regular postinst has run, I can run the postinst step again
> > but then with faketime active.
>
> Mm, that's likely the most elegant solution available. Even if it is,
> alas, a solution specific to building live images. :(
>
> Separate to that, I would file a bug against keytool and/or KeyStore
> class so that the command-line keytool utility either:
>
>  a) obeys SOURCE_DATE_EPOCH internally to the tool
>  b) accepts a date on the command-line (as suggested explicitly by John)
>  c) there is some kind of -nodate option
>
> As you mention, at least (a) and (b) would require a bunch of the
> new Date() calls in the KeyStore class to be checked over, and likely
> the KeyStore API needs to change as you imply so that a date can be
> poked through to the right place. That's probably a design decision
> best left to the maintainers of the KeyStore class and keytool utility,
> however.
>
> I don't think we need to propose that the entire JRE/JDK starts to
> obey SOURCE_DATE_EPOCH …
>
>
>
>
> Regards,
>
> --
>       o
>     ⬋   ⬊      Chris Lamb
>    o     o     reproducible-builds.org 💠
>     ⬊   ⬋
>       o
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20241113/7c039329/attachment.htm>

More information about the rb-general mailing list