-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable reproducible builds #24366
enable reproducible builds #24366
Conversation
6b0eb56
to
024847d
Compare
PR updated to have a current timestamp: reflects more reality of the value that you'd have had when switching to 7.0.4-SNAPSHOT (FYI I did it simply by running this PR is about Reproducible Builds: https://reproducible-builds.org/ = the objective is to have same binary as output having a reproducible timestamp is a necessity to get the same output binary from 2 builds you can get the result with versions:set, maven-release-plugin or by using git commit timestamp, as you wish (no resignation in any strategy): you don't need to change your current release practice |
024847d
to
c99f8d2
Compare
Hmmm, originally I wanted to say that binaries are still not the same and the date doesn't ensure that, but to my surprise the simplest GJULE.jar has always the same sha after your change and differs without that. But I think I understand you. Is it related to something new in Maven 4? So I tried that also with the distributed glassfish.zip: So no, we still don't have the same binary output. And this artifact is the most important. I still have doubts about this idea, but I understand now why @pzygielo wrote that he doesn't need the timestamp at all. After we merge this PR, we simply have to remove also all usages from properties and the code, because it provides false information and is worthless. As a result we lose some information just to pass So then we have to find out why the zip changes between builds. Alright, we can merge this, temporarily as this is not the final fix. I don't like that I am losing the simplest possible way to check if I started the right artifact, but what can I do ... |
@hboutemy Thank you for your patience, btw. ;-) |
everything happens at plugins level, nothing at Maven level itself: if you want to see more details, the hard core ones are here https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318
I have reproduced more than 1200 releases until now https://github.com/jvm-repo-rebuild/reproducible-central , from smallest projects to biggest ones |
i ran a real test with this PR applied: many remaining issues are just
easy to solve: i can provide more PRs after the current first one to make sure release 7.0.4 will have those simple issues fixed but as you mentioned in #24367, you have a choice to do: do you want Reproducible Builds or not? |
IMHO, setting the value of from(current release commit proc):
to:
What do you think? |
This can be done with a few changes to Jenkins' settings. (This does not solve the problem of the zip's sha changing for each build, though) |
Better would be to use maven release plugin, because it can do that automatically. But if I am the only person which uses this "feature" in logs, it is not worth of the effort. |
I suppose the current release process uses |
My intention may not have been clear. I propose that we do not explicitly set a value for "project.build.outputTimestamp" during development, and only set it for release. This way, SNAPSHOT versions can still get the usual timestamp. |
oh, now I better understand: that would mean non-Reproducible Builds during SNAPSHOT, and Reproducible Builds only on releases. This is not a scenario I expected, it will require adding and removing configuration forth and back: looks complex. |
Yes, that was my idea too, but if tools like Eclipse IDE check checksums of generated artifacts, it would be still wrong, unreproducible build. For example if m2e would use this instead of current monitoring of classes for quick rebuilds of the workspace:
I believe this is maybe more important than reproducible builds of releases, which are always built just once, uploaded, and not changed forever, that is ensured by rules of Maven Central. If it works how I described here :-) |
just applied fixes proposed by
mvn artifact:check-buildplan
, because release 7.0.3 is not reproducible at all (outputTimestamp fully dropped instead of setting an initial value)see https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/glassfish/main/README.md