You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Andreas Sewe (JIRA)" <ji...@apache.org> on 2016/04/07 19:31:26 UTC
[jira] [Created] (MSHARED-505) Add element to
to allow for reproducible builds
Andreas Sewe created MSHARED-505:
------------------------------------
Summary: Add <timestamp> element to <archive> to allow for reproducible builds
Key: MSHARED-505
URL: https://issues.apache.org/jira/browse/MSHARED-505
Project: Maven Shared Components
Issue Type: Improvement
Components: maven-archiver
Affects Versions: maven-archiver-3.0.0
Reporter: Andreas Sewe
At the moment, running {{mvn clean install}} on just about any project twice produces different JARs, as the files’ timestamps within the archive differ.
It would be great if the {{<archive>}} element would allow for a {{<timestamp>}} element to force a timestamp for all files within the archive.
This would allow uses like {{<timestamp>{$env.SOURCE_DATE_EPOCH}</timestamp>}} (see https://reproducible-builds.org/specs/source-date-epoch/). Or one could populate this using a property set by another plugin (the {{buildnumber-maven-plugin}} comes to mind, although its {{build-metadata}} goal ATM just gives the current time, not the time when the commit was made. Probably worth another request for improvement. ;-))
AFAICT, this improvement ultimately requires a change to {{AbstractZipArchiver.zipFile}} from Plexus, but I've filed it with {{maven-archiver}}, as that's the surface visible component.
Anyway, if this is a change that is of interest to others, I would be willing to provide patches to both {{maven-archiver}} and the appropriate plexus component.
FWIW, This is just one step towards reproducible builds. There's also MSHARED-494.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)