You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Michael Osipov (Jira)" <ji...@apache.org> on 2020/10/27 20:46:00 UTC

[jira] [Moved] (MJAR-275) outputTimestamp not applied to module-info; breaks reproducible builds

     [ https://issues.apache.org/jira/browse/MJAR-275?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Osipov moved MCOMPILER-439 to MJAR-275:
-----------------------------------------------

        Fix Version/s:     (was: waiting-for-feedback)
                  Key: MJAR-275  (was: MCOMPILER-439)
    Affects Version/s:     (was: 3.8.1)
                       3.2.0
              Project: Maven JAR Plugin  (was: Maven Compiler Plugin)

> outputTimestamp not applied to module-info; breaks reproducible builds
> ----------------------------------------------------------------------
>
>                 Key: MJAR-275
>                 URL: https://issues.apache.org/jira/browse/MJAR-275
>             Project: Maven JAR Plugin
>          Issue Type: Bug
>    Affects Versions: 3.2.0
>         Environment: Mac OS X 10.14.6
> JDK 15 (build 15+36)
> JDK 11 (build 11.0.8+10)
>            Reporter: Anand Beh
>            Priority: Minor
>         Attachments: MCOMPILER-439.zip, Screenshot 2020-10-25 at 2.35.59 PM.png
>
>
> Setting {{project.build.outputTimestamp}} to a fixed value allows creating reproducible builds per this guide: [https://maven.apache.org/guides/mini/guide-reproducible-builds.html |https://maven.apache.org/guides/mini/guide-reproducible-builds.html]However, if one adds a module-info file to the project, reproducible builds break.
> This is caused by module-info.class using the latest timestamp and not {{project.build.outputTimestamp}}. I was able to identify the problem using diffoscope: [https://diffoscope.org/.|https://diffoscope.org/] With it I determined the timestamp across 2 builds was constant for all but the module-info.class:
>  
> {code:java}
>   -rw----     2.0 fat      862 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrder.class
> │  -rw----     2.0 fat     1113 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrderBuilder.class
> │  -rw----     2.0 fat     2285 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.xml
> │  -rw----     2.0 fat       74 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.properties
> │ --rw----     2.0 fat      557 bl defN 20-Oct-25 12:39 module-info.class
> │ +-rw----     2.0 fat      557 bl defN 20-Oct-25 12:41 module-info.class
> {code}
>  
> Note the + and - which are diffoscope's way of indicating the difference between the .jar files. Here the {{project.build.outputTimestamp}} is on 17 October. As shown, module-info has a "rebellious" timestamp.
>  
> *EDIT:*
> Example project to reproduce the bug:
> [https://github.com/A248/MCOMPILER-439]
> (Source code is also provided as an attachment)



--
This message was sent by Atlassian Jira
(v8.3.4#803005)