You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@jmeter.apache.org by Vladimir Sitnikov <si...@gmail.com> on 2019/03/03 10:09:30 UTC
Manifest entries in the generated jars vs reproducible builds
Hi,
I review META-INF/MANIFEST.MF entries, and I believe some of them should be
dropped to reduce noise and to make builds reproducible (see
https://reproducible-builds.org/ ).
Even though it might be fine to release JMeter with those entries, I see no
reason to replicate that behavior in Gradle-based build.
I don't see how Ant-Version, Created-By, X-Compile-Source-JDK,
X-Compile-Target-JDK, Extension-Name helps.
If we want to pay special tribute to Built-By, then we could do that
elsewhere.
My main message here is:
1) I won't create Ant-Version, Created-By, X-Compile-Source-JDK,
X-Compile-Target-JDK, Extension-Name manifest entries in Gradle-based build
2) I don't care if Ant-based build is adjusted or not to drop those entries
Other concerns (they can be applied later, after we adopt Gradle):
3) Implementation-Vendor-Id should probably be org.apache.jmeter
4) Specification-Title should probably include artifact name. For instance:
"Apache JMeter core", "Apache JMeter functions". Currently we have Apache
JMeter everywhere which is kind of useless
5) We might want to add Implementation-URL entry
6) We might want to replace "Apache Software Foundation" with "The Apache
Software Foundation" (I'm not a lawyer, but :) )
Any thoughts?
Here's MANIFEST from JMeter 5.0:
Manifest-Version: 1.0
Ant-Version: Apache Ant 1.10.5
Created-By: 1.8.0_162-b12 (Oracle Corporation)
Built-By: milamber@apache.org
Extension-Name: JMeter
Specification-Title: Apache JMeter
Specification-Vendor: Apache Software Foundation
Implementation-Vendor: Apache Software Foundation
Implementation-Vendor-Id: org.apache
Implementation-Version: 5.0 r1840935
X-Compile-Source-JDK: 1.8
X-Compile-Target-JDK: 1.8
Extra properties like "Built-By" prevent
I suggest to have the following items:
Manifest-Version: 1.0
Specification-Title: Apache JMeter
Specification-Vendor: Apache Software Foundation
Implementation-Vendor: Apache Software Foundation
Implementation-Vendor-Id: org.apache
Implementation-Version: 5.0...
Vladimir
Re: Manifest entries in the generated jars vs reproducible builds
Posted by Vladimir Sitnikov <si...@gmail.com>.
sebb> Surely one can allow for differences in the values of these entries?
Different values would make checksum of the archive different.
In the ideal world I must not trust binaries of a release (e.g. during
release vote). I should be able to build exactly the same binaries in my
environment and verify that my checksum matches the one presented for a
vote.
sebb> This was added to make it easier to track back to the builder in case
sebb> there are issues with the build.
Neither history nor comments in build xml mean that.
${user.name} can easily contain private bits.
Vladimir
Re: Manifest entries in the generated jars vs reproducible builds
Posted by sebb <se...@gmail.com>.
On Sun, 3 Mar 2019 at 10:09, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> Hi,
>
> I review META-INF/MANIFEST.MF entries, and I believe some of them should be
> dropped to reduce noise and to make builds reproducible (see
> https://reproducible-builds.org/ ).
Surely one can allow for differences in the values of these entries?
> Even though it might be fine to release JMeter with those entries, I see no
> reason to replicate that behavior in Gradle-based build.
>
> I don't see how Ant-Version, Created-By, X-Compile-Source-JDK,
> X-Compile-Target-JDK, Extension-Name helps.
IIRC, most of the above entries were added to help debug
compiler-specific issues - not all compilers are equal.
> If we want to pay special tribute to Built-By, then we could do that
> elsewhere.
This was added to make it easier to track back to the builder in case
there are issues with the build.
> My main message here is:
> 1) I won't create Ant-Version, Created-By, X-Compile-Source-JDK,
> X-Compile-Target-JDK, Extension-Name manifest entries in Gradle-based build
I think they should be kept.
> 2) I don't care if Ant-based build is adjusted or not to drop those entries
>
> Other concerns (they can be applied later, after we adopt Gradle):
> 3) Implementation-Vendor-Id should probably be org.apache.jmeter
I don't think the vendor is the JMeter PMC, it is the ASF.
This needs to be checked with the official manifest docs.
> 4) Specification-Title should probably include artifact name. For instance:
> "Apache JMeter core", "Apache JMeter functions". Currently we have Apache
> JMeter everywhere which is kind of useless
I don't think that is the purpose of the entry.
The specification is surely JMeter; there aren't separate specs for each jar.
This needs to be checked with the official manifest docs.
> 5) We might want to add Implementation-URL entry
What does that indicate?
How will it help?
> 6) We might want to replace "Apache Software Foundation" with "The Apache
> Software Foundation" (I'm not a lawyer, but :) )
Probably OK, but it's not clear whether 'The' is part of the formal name or not.
Ask on legal-discuss.
> Any thoughts?
>
> Here's MANIFEST from JMeter 5.0:
>
> Manifest-Version: 1.0
> Ant-Version: Apache Ant 1.10.5
> Created-By: 1.8.0_162-b12 (Oracle Corporation)
> Built-By: milamber@apache.org
> Extension-Name: JMeter
> Specification-Title: Apache JMeter
> Specification-Vendor: Apache Software Foundation
> Implementation-Vendor: Apache Software Foundation
> Implementation-Vendor-Id: org.apache
> Implementation-Version: 5.0 r1840935
> X-Compile-Source-JDK: 1.8
> X-Compile-Target-JDK: 1.8
>
> Extra properties like "Built-By" prevent
>
> I suggest to have the following items:
> Manifest-Version: 1.0
> Specification-Title: Apache JMeter
> Specification-Vendor: Apache Software Foundation
> Implementation-Vendor: Apache Software Foundation
> Implementation-Vendor-Id: org.apache
> Implementation-Version: 5.0...
>
>
> Vladimir