Manifest entries in the generated jars vs reproducible builds

[Vladimir Sitnikov <si...@gmail.com>]

Hi,

I review META-INF/MANIFEST.MF entries, and I believe some of them should be
dropped to reduce noise and to make builds reproducible (see
https://reproducible-builds.org/ ).
Even though it might be fine to release JMeter with those entries, I see no
reason to replicate that behavior in Gradle-based build.

I don't see how Ant-Version, Created-By, X-Compile-Source-JDK,
X-Compile-Target-JDK, Extension-Name helps.
If we want to pay special tribute to Built-By, then we could do that
elsewhere.

My main message here is:
1) I won't create Ant-Version, Created-By, X-Compile-Source-JDK,
X-Compile-Target-JDK, Extension-Name manifest entries in Gradle-based build
2) I don't care if Ant-based build is adjusted or not to drop those entries

Other concerns (they can be applied later, after we adopt Gradle):
3) Implementation-Vendor-Id should probably be org.apache.jmeter
4) Specification-Title should probably include artifact name. For instance:
"Apache JMeter core", "Apache JMeter functions". Currently we have Apache
JMeter everywhere which is kind of useless
5) We might want to add Implementation-URL entry
6) We might want to replace "Apache Software Foundation" with "The Apache
Software Foundation" (I'm not a lawyer, but :) )

Any thoughts?

Here's MANIFEST from JMeter 5.0:

Manifest-Version: 1.0
Ant-Version: Apache Ant 1.10.5
Created-By: 1.8.0_162-b12 (Oracle Corporation)
Built-By: milamber@apache.org
Extension-Name:  JMeter
Specification-Title:  Apache JMeter
Specification-Vendor:  Apache Software Foundation
Implementation-Vendor:  Apache Software Foundation
Implementation-Vendor-Id:  org.apache
Implementation-Version: 5.0 r1840935
X-Compile-Source-JDK: 1.8
X-Compile-Target-JDK: 1.8

Extra properties like "Built-By" prevent

I suggest to have the following items:
Manifest-Version: 1.0
Specification-Title:  Apache JMeter
Specification-Vendor:  Apache Software Foundation
Implementation-Vendor:  Apache Software Foundation
Implementation-Vendor-Id:  org.apache
Implementation-Version: 5.0...


Vladimir

Re: Manifest entries in the generated jars vs reproducible builds

[Vladimir Sitnikov <si...@gmail.com>]

sebb> Surely one can allow for differences in the values of these entries?

Different values would make checksum of the archive different.

In the ideal world I must not trust binaries of a release (e.g. during
release vote). I should be able to build exactly the same binaries in my
environment and verify that my checksum matches the one presented for a
vote.

sebb> This was added to make it easier to track back to the builder in case
sebb> there are issues with the build.

Neither history nor comments in build xml mean that.

${user.name} can easily contain private bits.

Vladimir

Re: Manifest entries in the generated jars vs reproducible builds

[sebb <se...@gmail.com>]

On Sun, 3 Mar 2019 at 10:09, Vladimir Sitnikov
<si...@gmail.com> wrote:
>
> Hi,
>
> I review META-INF/MANIFEST.MF entries, and I believe some of them should be
> dropped to reduce noise and to make builds reproducible (see
> https://reproducible-builds.org/ ).

Surely one can allow for differences in the values of these entries?

> Even though it might be fine to release JMeter with those entries, I see no
> reason to replicate that behavior in Gradle-based build.
>
> I don't see how Ant-Version, Created-By, X-Compile-Source-JDK,
> X-Compile-Target-JDK, Extension-Name helps.

IIRC, most of the above entries were added to help debug
compiler-specific issues - not all compilers are equal.

> If we want to pay special tribute to Built-By, then we could do that
> elsewhere.

This was added to make it easier to track back to the builder in case
there are issues with the build.

> My main message here is:
> 1) I won't create Ant-Version, Created-By, X-Compile-Source-JDK,
> X-Compile-Target-JDK, Extension-Name manifest entries in Gradle-based build

I think they should be kept.

> 2) I don't care if Ant-based build is adjusted or not to drop those entries
>
> Other concerns (they can be applied later, after we adopt Gradle):
> 3) Implementation-Vendor-Id should probably be org.apache.jmeter

I don't think the vendor is the JMeter PMC, it is the ASF.
This needs to be checked with the official manifest docs.

> 4) Specification-Title should probably include artifact name. For instance:
> "Apache JMeter core", "Apache JMeter functions". Currently we have Apache
> JMeter everywhere which is kind of useless

I don't think that is the purpose of the entry.
The specification is surely JMeter; there aren't separate specs for each jar.
This needs to be checked with the official manifest docs.

> 5) We might want to add Implementation-URL entry

What does that indicate?
How will it help?

> 6) We might want to replace "Apache Software Foundation" with "The Apache
> Software Foundation" (I'm not a lawyer, but :) )

Probably OK, but it's not clear whether 'The' is part of the formal name or not.
Ask on legal-discuss.

> Any thoughts?
>
> Here's MANIFEST from JMeter 5.0:
>
> Manifest-Version: 1.0
> Ant-Version: Apache Ant 1.10.5
> Created-By: 1.8.0_162-b12 (Oracle Corporation)
> Built-By: milamber@apache.org
> Extension-Name:  JMeter
> Specification-Title:  Apache JMeter
> Specification-Vendor:  Apache Software Foundation
> Implementation-Vendor:  Apache Software Foundation
> Implementation-Vendor-Id:  org.apache
> Implementation-Version: 5.0 r1840935
> X-Compile-Source-JDK: 1.8
> X-Compile-Target-JDK: 1.8
>
> Extra properties like "Built-By" prevent
>
> I suggest to have the following items:
> Manifest-Version: 1.0
> Specification-Title:  Apache JMeter
> Specification-Vendor:  Apache Software Foundation
> Implementation-Vendor:  Apache Software Foundation
> Implementation-Vendor-Id:  org.apache
> Implementation-Version: 5.0...
>
>
> Vladimir