You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@plc4x.apache.org by Christofer Dutz <ch...@c-ware.de> on 2019/11/01 08:44:58 UTC

Re: Coming up soon: Reproducible Builds with maven

Hi all,

so the Maven team is currently voting on releasing some plugins in new versions that allow creating reproducible builds.

It should be possible to simply update some plugin versions and then set one additional maven property.
However it seems there are limitations to the reproducibility:
- OS matters
- Major JDK matters

So I was thinking: How about using Docker to create a controlled release/verification environment?
We already have a Dockerfile which builds PLC4X and creates Docker images from the Hello World example.
It might be a great idea to create one for releasing and verifying ... I'm not suggesting to distribute Docker images, but to use Docker for a controlled release environment.
Guess releasing and verifying releases could become a no-brainer task.

What do you think?

Chris




Am 11.10.19, 08:30 schrieb "Christofer Dutz" <ch...@c-ware.de>:

    Hi all,
    
    In the maven project there is currently a great initiative to update the core maven pluggins to allow creating of reproducible builds.
    
    In theory using a given source package and running it with the same timestamp it should produce binary identical output.
    
    I think this would be a great measure to increase trust. Right now theoretically nobody is able to check when voting on a release, if the staged maven binaries were rely built from the identical source.
    
    With reproducible builds we could add another level of verification to our release process. Ideally the step of comparing the built artifacts with the ones staged in nexus. However this should probably be automated though ;-)
    
    What do you generally think? A path worth walking?
    
    Chris
    
    Holen Sie sich Outlook für Android<https://aka.ms/ghei36>

Re: Coming up soon: Reproducible Builds with maven

Posted by Christofer Dutz <ch...@c-ware.de>.
Hi all,

so I created a feature-branch with updated plugin versions and all required changes for reproducible builds:
https://github.com/apache/plc4x/tree/feature/reproducible-builds

This contains a script in the root directory:
build-reproducible.sh

It should work for mac and linux (for mac I needed to install "rename" with "brew install rename") 

It does a full build with output to a local directory, then it cleans up this directory and packs everything into an archive.

Would be great if some of you could execute this script and somehow send me that file (ideally not via Email ;.) )

I would like to check how reproducible the builds really are.

Chris



Am 01.11.19, 09:45 schrieb "Christofer Dutz" <ch...@c-ware.de>:

    Hi all,
    
    so the Maven team is currently voting on releasing some plugins in new versions that allow creating reproducible builds.
    
    It should be possible to simply update some plugin versions and then set one additional maven property.
    However it seems there are limitations to the reproducibility:
    - OS matters
    - Major JDK matters
    
    So I was thinking: How about using Docker to create a controlled release/verification environment?
    We already have a Dockerfile which builds PLC4X and creates Docker images from the Hello World example.
    It might be a great idea to create one for releasing and verifying ... I'm not suggesting to distribute Docker images, but to use Docker for a controlled release environment.
    Guess releasing and verifying releases could become a no-brainer task.
    
    What do you think?
    
    Chris
    
    
    
    
    Am 11.10.19, 08:30 schrieb "Christofer Dutz" <ch...@c-ware.de>:
    
        Hi all,
        
        In the maven project there is currently a great initiative to update the core maven pluggins to allow creating of reproducible builds.
        
        In theory using a given source package and running it with the same timestamp it should produce binary identical output.
        
        I think this would be a great measure to increase trust. Right now theoretically nobody is able to check when voting on a release, if the staged maven binaries were rely built from the identical source.
        
        With reproducible builds we could add another level of verification to our release process. Ideally the step of comparing the built artifacts with the ones staged in nexus. However this should probably be automated though ;-)
        
        What do you generally think? A path worth walking?
        
        Chris
        
        Holen Sie sich Outlook für Android<https://aka.ms/ghei36>