You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@sling.apache.org by "Robert Munteanu (Jira)" <ji...@apache.org> on 2020/05/14 07:23:00 UTC
[jira] [Closed] (SLING-9307) Make build fully reproducible
[ https://issues.apache.org/jira/browse/SLING-9307?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Munteanu closed SLING-9307.
----------------------------------
> Make build fully reproducible
> -----------------------------
>
> Key: SLING-9307
> URL: https://issues.apache.org/jira/browse/SLING-9307
> Project: Sling
> Issue Type: Bug
> Components: General
> Affects Versions: Parent 38
> Reporter: Konrad Windszus
> Assignee: Konrad Windszus
> Priority: Major
> Fix For: Parent 39
>
>
> According to https://github.com/jvm-repo-rebuild/reproducible-central#results builds with parent 38 are not fully reproducible yet. AFAICS this is caused by the fact, that we use a slightly outdated maven-source-plugin (https://github.com/apache/sling-parent/blob/129ae7a6d8426be32877eaed0b20b43c5cd7b223/sling-parent/pom.xml#L321). In general no version should be managed to a lower version than given in the ASF parent (e.g. https://github.com/apache/maven-apache-parent/blob/591f84284d4bce53ca2ee686c1d84b16e8029716/pom.xml#L288).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Re: Reproducible builds documentation? (was: [jira] [Closed]
(SLING-9307) Make build fully reproducible)
Posted by Robert Munteanu <ro...@apache.org>.
On Thu, 2020-05-14 at 12:03 +0200, Konrad Windszus wrote:
> Maven-release-plugin will update it automatically during the release.
> So it is just a one time thing to add it with an arbitrary value to
> the pom.xml
Ack. I find it a bit confusing though to have those entries in regular
POM files, but that's a small thing.
Thanks,
Robert
>
> > On 14. May 2020, at 11:59, Robert Munteanu <ro...@apache.org>
> > wrote:
> >
> > I think it would be nice to configure the release process to
> > automatically add the project.build.outputTimestamp property to the
> > POM
> > when releasing.
Re: Reproducible builds documentation? (was: [jira] [Closed]
(SLING-9307) Make build fully reproducible)
Posted by Konrad Windszus <ko...@gmx.de>.
Maven-release-plugin will update it automatically during the release. So it is just a one time thing to add it with an arbitrary value to the pom.xml
> On 14. May 2020, at 11:59, Robert Munteanu <ro...@apache.org> wrote:
>
> I think it would be nice to configure the release process to
> automatically add the project.build.outputTimestamp property to the POM
> when releasing.
Re: Reproducible builds documentation? (was: [jira] [Closed]
(SLING-9307) Make build fully reproducible)
Posted by Robert Munteanu <ro...@apache.org>.
On Thu, 2020-05-14 at 11:45 +0200, Konrad Windszus wrote:
> Hi,
>
> Yes, all bundles built with the latest parent should be reproducible
> (i.e. generate always the same checksum under certain circumstances).
> There is some documentation at
> https://maven.apache.org/guides/mini/guide-reproducible-builds.html <
> https://maven.apache.org/guides/mini/guide-reproducible-builds.html>;
I think it would be nice to configure the release process to
automatically add the project.build.outputTimestamp property to the POM
when releasing.
This way, rebuilding from a tag should succeed out-of-the-box.
> .
>
> Some sling artifacts are already listed at
> https://github.com/jvm-repo-rebuild/reproducible-central <
> https://github.com/jvm-repo-rebuild/reproducible-central>;.
> Our check script should be adjusted to verify that you end up with
> the same checksum.
Isn't the build result dependant on the OS and JDK version used?
Thanks,
Robert
> Haven't had a chance to look at this yet though
>
> Konrad
>
> > On 14. May 2020, at 11:39, Bertrand Delacretaz <
> > bdelacretaz@apache.org> wrote:
> >
> > Hi,
> >
> > On Thu, May 14, 2020 at 9:23 AM Robert Munteanu (Jira) <
> > jira@apache.org> wrote:
> > > Robert Munteanu closed SLING-9307...
> > > > Make build fully reproducible...
> >
> > Does this mean our builds are fully reproducible?
> >
> > And do we have documentation about that, how to avoid breaking that
> > in
> > modules, how to validate it etc. ?
> >
> > I haven't followed that story, sorry if I missed something.
> >
> > -Bertrand
Re: Reproducible builds documentation? (was: [jira] [Closed]
(SLING-9307) Make build fully reproducible)
Posted by Konrad Windszus <ko...@gmx.de>.
Hi,
Yes, all bundles built with the latest parent should be reproducible (i.e. generate always the same checksum under certain circumstances).
There is some documentation at https://maven.apache.org/guides/mini/guide-reproducible-builds.html <https://maven.apache.org/guides/mini/guide-reproducible-builds.html>.
Some sling artifacts are already listed at https://github.com/jvm-repo-rebuild/reproducible-central <https://github.com/jvm-repo-rebuild/reproducible-central>.
Our check script should be adjusted to verify that you end up with the same checksum.
Haven't had a chance to look at this yet though
Konrad
> On 14. May 2020, at 11:39, Bertrand Delacretaz <bd...@apache.org> wrote:
>
> Hi,
>
> On Thu, May 14, 2020 at 9:23 AM Robert Munteanu (Jira) <ji...@apache.org> wrote:
>> Robert Munteanu closed SLING-9307...
>>> Make build fully reproducible...
>
> Does this mean our builds are fully reproducible?
>
> And do we have documentation about that, how to avoid breaking that in
> modules, how to validate it etc. ?
>
> I haven't followed that story, sorry if I missed something.
>
> -Bertrand
Reproducible builds documentation? (was: [jira] [Closed] (SLING-9307)
Make build fully reproducible)
Posted by Bertrand Delacretaz <bd...@apache.org>.
Hi,
On Thu, May 14, 2020 at 9:23 AM Robert Munteanu (Jira) <ji...@apache.org> wrote:
> Robert Munteanu closed SLING-9307...
> > Make build fully reproducible...
Does this mean our builds are fully reproducible?
And do we have documentation about that, how to avoid breaking that in
modules, how to validate it etc. ?
I haven't followed that story, sorry if I missed something.
-Bertrand