You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Hervé Boutemy (JIRA)" <ji...@apache.org> on 2017/10/07 14:17:00 UTC

[jira] [Comment Edited] (MNG-6276) Support reproducible builds

    [ https://issues.apache.org/jira/browse/MNG-6276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16195717#comment-16195717 ] 

Hervé Boutemy edited comment on MNG-6276 at 10/7/17 2:16 PM:
-------------------------------------------------------------

thank you [~Zlika] for the followup: let's continue

we need to find a property name that everybody will agree upon: "reproducible" does not gain momentum yet, nor "idempotent", nor "deterministic"
Re-reading https://reproducible-builds.org/, which seems a good starting point, what about {{verifiable}}?
To me, finding an agreed property name is the only requirement to fix MSHARED-661, which one of the easiest part to code, then a good concrete first change to do.

To me, finding the right term is not just a detail, but a question of determining the right objective: looking at MSHARED-661, by removing timestamps, the build can be deterministic and idempotent on my personal machine, but our requirement is also that _someone else_ with a "decently near" configuration will get the bit-for-bit same result (then removing username avoids some stupid constraints on build environment configuration)

A general question: is there some writing somewhere on what are the issues in a basic java build? (by "basic" I mean that no advanced build tool like Maven and plugins adds more variable parts)
The first strong issue I see for example in basic builds is _timestamps for files in jars/wars/zips_
Is there something on the precise JDK version used? or compiler? If I build with JDK 8 with target 6, do I get the same .class than with JDK 6? If I build with OpenJDK javac or IBM JDK javac or Eclipse jdt compiler or jikes, do I get the same result as with Oracle JDK javac?

Notice I just added a new entry in https://cwiki.apache.org/confluence/display/MAVEN/Proposals to track this proposal: I'll add a dedicated Wiki page to gather requirements, which will probably be useful on a long term documentation purpose in addition to our discussion in this Jira issue...


was (Author: hboutemy):
thank you [~Zlika] for the followup: let's continue

we need to find a property name that everybody will agree upon: "reproducible" does not gain momentum yet, nor "idempotent", nor "deterministic"
Re-reading https://reproducible-builds.org/, which seems a good starting point, what about {{verifiable}}?
To me, finding an agreed property name is the only requirement to fix MSHARED-661, which one of the easiest part to code, then a good concrete first change to do.

To me, finding the right term is not just a detail, but a question of determining the right objective: looking at MSHARED-661, by removing timestamps, the build can be deterministic and idempotent on my personal machine, but our requirement is also that _someone else_ with a "decently near" configuration will get the bit-for-bit same result (then removing username avoids some stupid constraints on build environment configuration)

A general question: is there some writing somewhere on what are the issues in a basic java build? (by "basic" I mean that no advanced build tool like Maven and plugins adds more variable parts)
The first strong issue I see for example in basic builds is _timestamps for files in jars/wars/zips_
Is there something on the precise JDK version used? or compiler? If I build with JDK 8 with target 6, do I get the same .class than with JDK 6? If I build with OpenJDK or IBM JDK or Eclipse compiler or jikes, do I get the same result as with Oracle JDK?

Notice I just added a new entry in https://cwiki.apache.org/confluence/display/MAVEN/Proposals to track this proposal: I'll add a dedicated Wiki page to gather requirements, which will probably be useful on a long term documentation purpose in addition to our discussion in this Jira issue...

> Support reproducible builds
> ---------------------------
>
>                 Key: MNG-6276
>                 URL: https://issues.apache.org/jira/browse/MNG-6276
>             Project: Maven
>          Issue Type: New Feature
>          Components: core, General
>            Reporter: Paolo Sacconier
>
> A venerable build system like maven should support full build reproducibilty (i.e. producing bit a bit identical binaries from the same source).
> As initiatives like https://reproducible-builds.org gain traction and the news of the recent Debian policy change to mandate this build behavior (see https://reproducible.alioth.debian.org/blog/posts/121/), this seems a feature that needs to be considered for inclusion into maven core & core plugins.
> There is an independent ongoing effort to support this feature and the author stated that he has found interest from maven project to integrate his work: https://github.com/Zlika/reproducible-build-maven-plugin/issues/6#issuecomment-325005883
> I hope this issue helps kickstart the effort.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)