You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2020/05/10 14:51:00 UTC

[jira] [Updated] (MWAR-432) Reproducible Builds: make entries in output jar files reproducible (order + timestamp)

     [ https://issues.apache.org/jira/browse/MWAR-432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Herve Boutemy updated MWAR-432:
-------------------------------
    Description: 
since a jar file is a zip file, entries order and timestamp are a natural source of non Reproducible Builds: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318]

but given how war containers use timestamp to serve content, maybe fixed timestamp for SNASPHOTs is not appropriate: see https://github.com/gradle/gradle/issues/10917

after discussion, given we don't force to a fixed timestamp but use a configured one,  no issue...

  was:
since a jar file is a zip file, entries order and timestamp are a natural source of non Reproducible Builds: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318]

but given how Tomcat uses timestamp to serve content, maybe fixed timestamp for SNASPHOTs is not appropriate: see https://github.com/gradle/gradle/issues/10917


> Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
> --------------------------------------------------------------------------------------
>
>                 Key: MWAR-432
>                 URL: https://issues.apache.org/jira/browse/MWAR-432
>             Project: Maven WAR Plugin
>          Issue Type: New Feature
>    Affects Versions: 3.2.3
>            Reporter: Herve Boutemy
>            Priority: Major
>             Fix For: 3.3.0
>
>
> since a jar file is a zip file, entries order and timestamp are a natural source of non Reproducible Builds: [https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318]
> but given how war containers use timestamp to serve content, maybe fixed timestamp for SNASPHOTs is not appropriate: see https://github.com/gradle/gradle/issues/10917
> after discussion, given we don't force to a fixed timestamp but use a configured one,  no issue...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)