You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jdo-dev@db.apache.org by Michael Bouschen <mb...@apache.org> on 2022/02/10 21:33:25 UTC
Reproducible JDO Build
Hi,
our JDO build is now reproducible, I just have to follow the
instructions given by hboutemy.
First I call 'mvn clean install' which builds all the artifacts and
stores them in the local maven repository.
Then I call 'mvn clean package artifact:compare' which build the
artifacts again, but only in the target directory.
The plugin compare the artifacts in the maven repository with the ones
in the target directory by creating buildinfos for the artifacts and
comparing them.
This process also works for SNAPSHOT versions.
Regards Michael
Re: Reproducible JDO Build
Posted by Craig Russell <ap...@gmail.com>.
Hi Til,
I'm out of ideas as well.
Perhaps we should start a thread on the maven dev list (cc: jdo-dev)?
Craig
> On Feb 14, 2022, at 1:42 AM, Tilmann <ti...@gmx.de> wrote:
>
> Hi Craig,
>
> yes, I think generally (e.g. C++) reproducible builds are good and can
> be quite useful. With Java, it's a bit more limited, I assume the main
> problems are the JDK version, dependencies (e.g. .pom with version
> ranges) and the build platform (Windows line breaks, JNI dependencies,
> ...); after all, in Java we deliver a .jar file, not a binary.
> --> I am all in favor of having reproducible builds.
>
> What I do not understand at the moment is the benefit of:
>
> |mvn clean install mvn clean package artifact:compare|
>
> It compares a local build with another local build, so it's avoiding all
> the things that could possibly fail (JDK, dependencies, platform), at
> least as far as I can tell. How can this ever fail? In what way does
> this check for build reproducibility?
>
> I'm sure I a missing something here...
>
> Regards,
> Til
>
>
> a nice to have.
>
> On 12/02/2022 02:17, Craig Russell wrote:
>> Hi Til,
>>
>> I had a brief look at the internets and found some interesting commentary on the subject.https://reproducible-builds.org/docs/deterministic-build-systems/
>>
>> I didn't spend much time, but there are a few things that I took away from that. I think that Java makes it easier because given any machine supporting Java (specific version) will produce reproducible results if some rules are followed. This is not the case for other compilers that actually might produce different results on different machines.
>>
>> Anyway, I still think it's good to verify reproducible results in our project.
>>
>> Regards,
>> Craig
>>
>>> On Feb 11, 2022, at 5:15 AM, Tilmann<ti...@gmx.de> wrote:
>>>
>>>> The plugin compare the artifacts in the maven repository with the
>>> ones in the target directory by creating buildinfos for the artifacts
>>> and comparing them.
>>>
>>> So the process compares two builds that have been built locally on the
>>> same machine. I don't think I understand how this is meant to work (I
>>> had a look at
>>> https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no
>>> luck):
>>> - If I build both version locally, why they would ever differ?
>>> - Is there a way to use this process to detect any problems caused by
>>> building on different machines/environment (because it is always run on
>>> the same machine)? It seems like one has to copy builds from another
>>> machine or at least set-up a private repository that can be accessed by
>>> multiple machines...?
>>>
>>> Til
>>>
>>>
>>>
>>> On 10/02/2022 22:33, Michael Bouschen wrote:
>>>> Hi,
>>>>
>>>> our JDO build is now reproducible, I just have to follow the
>>>> instructions given by hboutemy.
>>>>
>>>> First I call 'mvn clean install' which builds all the artifacts and
>>>> stores them in the local maven repository.
>>>> Then I call 'mvn clean package artifact:compare' which build the
>>>> artifacts again, but only in the target directory.
>>>> The plugin compare the artifacts in the maven repository with the ones
>>>> in the target directory by creating buildinfos for the artifacts and
>>>> comparing them.
>>>>
>>>> This process also works for SNAPSHOT versions.
>>>>
>>>> Regards Michael
>>>>
>> Craig L Russell
>> clr@apache.org
>>
Craig L Russell
clr@apache.org
Re: Reproducible JDO Build
Posted by Tilmann <ti...@gmx.de>.
Hi Craig,
yes, I think generally (e.g. C++) reproducible builds are good and can
be quite useful. With Java, it's a bit more limited, I assume the main
problems are the JDK version, dependencies (e.g. .pom with version
ranges) and the build platform (Windows line breaks, JNI dependencies,
...); after all, in Java we deliver a .jar file, not a binary.
--> I am all in favor of having reproducible builds.
What I do not understand at the moment is the benefit of:
|mvn clean install mvn clean package artifact:compare|
It compares a local build with another local build, so it's avoiding all
the things that could possibly fail (JDK, dependencies, platform), at
least as far as I can tell. How can this ever fail? In what way does
this check for build reproducibility?
I'm sure I a missing something here...
Regards,
Til
a nice to have.
On 12/02/2022 02:17, Craig Russell wrote:
> Hi Til,
>
> I had a brief look at the internets and found some interesting commentary on the subject.https://reproducible-builds.org/docs/deterministic-build-systems/
>
> I didn't spend much time, but there are a few things that I took away from that. I think that Java makes it easier because given any machine supporting Java (specific version) will produce reproducible results if some rules are followed. This is not the case for other compilers that actually might produce different results on different machines.
>
> Anyway, I still think it's good to verify reproducible results in our project.
>
> Regards,
> Craig
>
>> On Feb 11, 2022, at 5:15 AM, Tilmann<ti...@gmx.de> wrote:
>>
>>> The plugin compare the artifacts in the maven repository with the
>> ones in the target directory by creating buildinfos for the artifacts
>> and comparing them.
>>
>> So the process compares two builds that have been built locally on the
>> same machine. I don't think I understand how this is meant to work (I
>> had a look at
>> https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no
>> luck):
>> - If I build both version locally, why they would ever differ?
>> - Is there a way to use this process to detect any problems caused by
>> building on different machines/environment (because it is always run on
>> the same machine)? It seems like one has to copy builds from another
>> machine or at least set-up a private repository that can be accessed by
>> multiple machines...?
>>
>> Til
>>
>>
>>
>> On 10/02/2022 22:33, Michael Bouschen wrote:
>>> Hi,
>>>
>>> our JDO build is now reproducible, I just have to follow the
>>> instructions given by hboutemy.
>>>
>>> First I call 'mvn clean install' which builds all the artifacts and
>>> stores them in the local maven repository.
>>> Then I call 'mvn clean package artifact:compare' which build the
>>> artifacts again, but only in the target directory.
>>> The plugin compare the artifacts in the maven repository with the ones
>>> in the target directory by creating buildinfos for the artifacts and
>>> comparing them.
>>>
>>> This process also works for SNAPSHOT versions.
>>>
>>> Regards Michael
>>>
> Craig L Russell
> clr@apache.org
>
Re: Reproducible JDO Build
Posted by Craig Russell <ap...@gmail.com>.
Hi Til,
I had a brief look at the internets and found some interesting commentary on the subject. https://reproducible-builds.org/docs/deterministic-build-systems/
I didn't spend much time, but there are a few things that I took away from that. I think that Java makes it easier because given any machine supporting Java (specific version) will produce reproducible results if some rules are followed. This is not the case for other compilers that actually might produce different results on different machines.
Anyway, I still think it's good to verify reproducible results in our project.
Regards,
Craig
> On Feb 11, 2022, at 5:15 AM, Tilmann <ti...@gmx.de> wrote:
>
> > The plugin compare the artifacts in the maven repository with the
> ones in the target directory by creating buildinfos for the artifacts
> and comparing them.
>
> So the process compares two builds that have been built locally on the
> same machine. I don't think I understand how this is meant to work (I
> had a look at
> https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no
> luck):
> - If I build both version locally, why they would ever differ?
> - Is there a way to use this process to detect any problems caused by
> building on different machines/environment (because it is always run on
> the same machine)? It seems like one has to copy builds from another
> machine or at least set-up a private repository that can be accessed by
> multiple machines...?
>
> Til
>
>
>
> On 10/02/2022 22:33, Michael Bouschen wrote:
>> Hi,
>>
>> our JDO build is now reproducible, I just have to follow the
>> instructions given by hboutemy.
>>
>> First I call 'mvn clean install' which builds all the artifacts and
>> stores them in the local maven repository.
>> Then I call 'mvn clean package artifact:compare' which build the
>> artifacts again, but only in the target directory.
>> The plugin compare the artifacts in the maven repository with the ones
>> in the target directory by creating buildinfos for the artifacts and
>> comparing them.
>>
>> This process also works for SNAPSHOT versions.
>>
>> Regards Michael
>>
Craig L Russell
clr@apache.org
Re: Reproducible JDO Build
Posted by Tilmann <ti...@gmx.de>.
> The plugin compare the artifacts in the maven repository with the
ones in the target directory by creating buildinfos for the artifacts
and comparing them.
So the process compares two builds that have been built locally on the
same machine. I don't think I understand how this is meant to work (I
had a look at
https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no
luck):
- If I build both version locally, why they would ever differ?
- Is there a way to use this process to detect any problems caused by
building on different machines/environment (because it is always run on
the same machine)? It seems like one has to copy builds from another
machine or at least set-up a private repository that can be accessed by
multiple machines...?
Til
On 10/02/2022 22:33, Michael Bouschen wrote:
> Hi,
>
> our JDO build is now reproducible, I just have to follow the
> instructions given by hboutemy.
>
> First I call 'mvn clean install' which builds all the artifacts and
> stores them in the local maven repository.
> Then I call 'mvn clean package artifact:compare' which build the
> artifacts again, but only in the target directory.
> The plugin compare the artifacts in the maven repository with the ones
> in the target directory by creating buildinfos for the artifacts and
> comparing them.
>
> This process also works for SNAPSHOT versions.
>
> Regards Michael
>