maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hervé Boutemy (JIRA) <j...@apache.org>
Subject [jira] [Commented] (MNG-6276) Support reproducible builds
Date Sat, 07 Oct 2017 14:14:03 GMT

    [ https://issues.apache.org/jira/browse/MNG-6276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16195717#comment-16195717
] 

Hervé Boutemy commented on MNG-6276:
------------------------------------

thank you [~Zlika] for the followup: let's continue

we need to find a property name that everybody will agree upon: "reproducible" does not gain
momentum yet, nor "idempotent", nor "deterministic"
Re-reading https://reproducible-builds.org/, which seems a good starting point, what about
{{verifiable}}?
To me, finding an agreed property name is the only requirement to fix MSHARED-661, which one
of the easiest part to code, then a good concrete first change to do.

To me, finding the right term is not just a detail, but a question of determining the right
objective: looking at MSHARED-661, by removing timestamps, the build can be deterministic
and idempotent on my personal machine, but our requirement is also that _someone else_ with
a "decently near" configuration will get the bit-for-bit same result (then removing username
avoids some stupid constraints on build environment configuration)

A general question: is there some writing somewhere on what are the issues in a basic java
build? (by "basic" I mean that no advanced build tool like Maven and plugins adds more variable
parts)
The first strong issue I see for example in basic builds is _timestamps for files in jars/wars/zips_
Is there something on the precise JDK version used? or compiler? If I build with JDK 8 with
target 6, do I get the same .class than with JDK 6? If I build with OpenJDK or IBM JDK or
Eclipse compiler or jikes, do I get the same result as with Oracle JDK?

Notice I just added a new entry in https://cwiki.apache.org/confluence/display/MAVEN/Proposals
to track this proposal: I'll add a dedicated Wiki page to gather requirements, which will
probably be useful on a long term documentation purpose in addition to our discussion in this
Jira issue...

> Support reproducible builds
> ---------------------------
>
>                 Key: MNG-6276
>                 URL: https://issues.apache.org/jira/browse/MNG-6276
>             Project: Maven
>          Issue Type: New Feature
>          Components: core, General
>            Reporter: Paolo Sacconier
>
> A venerable build system like maven should support full build reproducibilty (i.e. producing
bit a bit identical binaries from the same source).
> As initiatives like https://reproducible-builds.org gain traction and the news of the
recent Debian policy change to mandate this build behavior (see https://reproducible.alioth.debian.org/blog/posts/121/),
this seems a feature that needs to be considered for inclusion into maven core & core
plugins.
> There is an independent ongoing effort to support this feature and the author stated
that he has found interest from maven project to integrate his work: https://github.com/Zlika/reproducible-build-maven-plugin/issues/6#issuecomment-325005883
> I hope this issue helps kickstart the effort.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message