You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@netbeans.apache.org by Emilian Bold <em...@protonmail.ch> on 2017/11/09 12:36:42 UTC
Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)]
>> Every built of a jar will produce a different sha, so you're assessment
>> is correct.
Another reason NetBeans builds should be reproducible.
Rather amazed Apache does not have a foundation-wide move like Debian's https://wiki.debian.org/ReproducibleBuilds
--emi
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was:
Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Neil C Smith <ne...@apache.org>.
On Thu, Nov 9, 2017 at 6:56 PM Victor Williams Stafusa da Silva <
victorwssilva@gmail.com> wrote:
> Not sure if someone already mentioned or acknowledged that, but let's give
> a look at this:
>
>
> http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/slides_en.html
>
>
Thanks. Interesting link. I assume that this would involve us either
hosting binaries and/or modified source packages though? Or could we
automate from a Maven Central source download with a convenience cache?
Best wishes,
Neil
--
Neil C Smith
Artist & Technologist
www.neilcsmith.net
Praxis LIVE - hybrid visual IDE for creative coding - www.praxislive.org
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Emilian Bold <em...@protonmail.ch>.
I assume https://github.com/emilianbold/reproducible-nextbeans and https://nextbeans.com/reproducible.html are known already.
--emi
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was:
Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Victor Williams Stafusa da Silva <vi...@gmail.com>.
Not sure if someone already mentioned or acknowledged that, but let's give
a look at this:
http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/slides_en.html
Victor Williams Stafusa da Silva
2017-11-09 16:30 GMT-02:00 Antonio <an...@vieiro.net>:
> El 09/11/17 a las 13:36, Emilian Bold escribió:
>
>> Every built of a jar will produce a different sha, so you're assessment
>>>> is correct.
>>>>
>>>
>>
> Mmm.... that would depend on how you checksum the jar file. I imagine that
> we could checksum all the contents of the jar file _except_ for specific
> lines in the META-INF/MANIFEST.MF file (those talking about build times and
> jdk versions). The rest of the file should produce the same checksum (being
> compiled with the same JDK). Let's call this the "Java Checksum", right?.
>
> Computing the "Java Checksum" will, of course, be costly performance-wise,
> I think.
>
> So we could have a secondary, optional, "Java Checksum" for binaries. If
> the first usual SHA-1 checksum (quick to compute) fails then a "Java
> Checksum" would be used instead.
>
> Cheers,
> Antonio
>
> P.S.: Another option would be to prune those lines that get modified in
> each build in the MANIFEST.MF file after creating the jar file.
>
>
> Another reason NetBeans builds should be reproducible.
>>
>> Rather amazed Apache does not have a foundation-wide move like Debian's
>> https://wiki.debian.org/ReproducibleBuilds
>>
>> --emi
>>
>>
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was:
Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Antonio <an...@vieiro.net>.
El 09/11/17 a las 13:36, Emilian Bold escribió:
>>> Every built of a jar will produce a different sha, so you're assessment
>>> is correct.
>
Mmm.... that would depend on how you checksum the jar file. I imagine
that we could checksum all the contents of the jar file _except_ for
specific lines in the META-INF/MANIFEST.MF file (those talking about
build times and jdk versions). The rest of the file should produce the
same checksum (being compiled with the same JDK). Let's call this the
"Java Checksum", right?.
Computing the "Java Checksum" will, of course, be costly
performance-wise, I think.
So we could have a secondary, optional, "Java Checksum" for binaries. If
the first usual SHA-1 checksum (quick to compute) fails then a "Java
Checksum" would be used instead.
Cheers,
Antonio
P.S.: Another option would be to prune those lines that get modified in
each build in the MANIFEST.MF file after creating the jar file.
> Another reason NetBeans builds should be reproducible.
>
> Rather amazed Apache does not have a foundation-wide move like Debian's https://wiki.debian.org/ReproducibleBuilds
>
> --emi
>
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Emilian Bold <em...@protonmail.ch>.
Then again a lot of the Java world uses either Ant or Maven both of which don't support reproducible builds or have any visible interest in it.
--emi
>-------- Original Message --------
>Subject: Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was: Release Apache NetBeans 9.0 Alpha (incubating)]
>Local Time: November 9, 2017 4:26 PM
>UTC Time: November 9, 2017 2:26 PM
>From: jaroslav.tulach@gmail.com
>To: dev@netbeans.incubator.apache.org, Emilian Bold <em...@protonmail.ch>
>
>2017-11-09 13:36 GMT+01:00 Emilian Bold emilian.bold@protonmail.ch:
>>>>Every built of a jar will produce a different sha, so you're assessment
>>>> is correct.
>>>Another reason NetBeans builds should be reproducible.
>>Rather amazed Apache does not have a foundation-wide move like Debian's
>>https://wiki.debian.org/ReproducibleBuilds
>>
>+1 I would also expect this to be foundation-wide effort.
>
> However debian is in better position. They control the whole OS and build
> environment. This is not the kind of control Apache can have (from what I
> see).
> -jt
Re: Reproducible NetBeans builds [WAS: Re: HTML/Java checksums was:
Release Apache NetBeans 9.0 Alpha (incubating)]
Posted by Jaroslav Tulach <ja...@gmail.com>.
2017-11-09 13:36 GMT+01:00 Emilian Bold <em...@protonmail.ch>:
> >> Every built of a jar will produce a different sha, so you're assessment
> >> is correct.
>
> Another reason NetBeans builds should be reproducible.
>
> Rather amazed Apache does not have a foundation-wide move like Debian's
> https://wiki.debian.org/ReproducibleBuilds
>
+1 I would also expect this to be foundation-wide effort.
However debian is in better position. They control the whole OS and build
environment. This is not the kind of control Apache can have (from what I
see).
-jt