You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@sis.apache.org by "hboutemy (via GitHub)" <gi...@apache.org> on 2023/08/01 22:15:59 UTC

[GitHub] [sis] hboutemy commented on a diff in pull request #36: enable Reproducible Builds

hboutemy commented on code in PR #36:
URL: https://github.com/apache/sis/pull/36#discussion_r1281204329


##########
pom.xml:
##########
@@ -545,6 +545,7 @@
        =================================================================== -->
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.build.outputTimestamp>2023-07-15T16:42:39Z</project.build.outputTimestamp>

Review Comment:
   > If this migration is accepted, the fix proposed in this issue would take a different form.
   
   ok, let's drop this PR, then, no problem
   
   > it throws away valuable metadata such as build time and who made the build
   
   I perfectly understand your idea, I was a strong promoter of trackers of provenance: the fact is that with RB, they are not useful any more
   
   > I think that no timestamp would be better than a timestamp with fixed value
   
   Yes: if you know if zip and/or tar have that notion, I'm interested
   
   > In French I would said that bit-by-bit reproducibility is "jeter le bébé avec l'eau du bain".
   
   Hehe :) From experience gained from thousands of rebuilds in https://github.com/jvm-repo-rebuild/reproducible-central , I detected many unexpected difference in releases with this approach
   But it has to happen step by step, learning while deploying, without forcing



##########
pom.xml:
##########
@@ -545,6 +545,7 @@
        =================================================================== -->
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    <project.build.outputTimestamp>2023-07-15T16:42:39Z</project.build.outputTimestamp>

Review Comment:
   > If this migration is accepted, the fix proposed in this issue would take a different form.
   
   ok, let's drop this PR, then, no problem
   
   > it throws away valuable metadata such as build time and who made the build
   
   I perfectly understand your idea, I was a strong promoter of trackers of provenance: the fact is that with RB, they are not useful any more
   
   > I think that no timestamp would be better than a timestamp with fixed value
   
   Yes: if you know if zip and/or tar have that notion, I'm interested
   
   > In French I would said that bit-by-bit reproducibility is "jeter le bébé avec l'eau du bain".
   
   Hehe :) From experience gained from thousands of rebuilds in https://github.com/jvm-repo-rebuild/reproducible-central , I detected many unexpected difference in releases with this approach
   But it has to happen step by step, learning while deploying, without forcing



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@sis.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org