[jira] [Commented] (MNG-6276) Support reproducible builds

Sun, 27 Aug 2017 04:04:26 -0700 

    [ 
https://issues.apache.org/jira/browse/MNG-6276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16143074#comment-16143074
 ] 

Zlika commented on MNG-6276:
----------------------------

Hi. I'm the author of the [reproducible-build-maven 
plugin|http://zlika.github.io/reproducible-build-maven-plugin/]. I gave a talk 
at Devoxx France 2016 on this subject (cf. [slides 
here|http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/slides_en.html])
 and after this talk I had the opportunity to talk with [~hboutemy] from ASF. 
He advised me to create a ticket on the Maven JIRA to propose such a feature. 
I'm a little bit late, but thanks to [~psacc], here it is! :-)

To have a reproducible build feature in Maven, some of its core plugins (and/or 
dependencies) are concerned, like maven-jar-plugin, maven-assembly-plugin...
At least the following things must be done:
* Remove unecessary timestamps, usernames and tool versions in files like 
MANIFEST.MF, pom.properties...
* Sorts zip entries of the JAR files (so that the order does not depend on 
their order in the user's filesystem) and remove file timestamps.

I think it should be an "opt-in" feature, so it would be nice to have a global 
property like {noformat}${project.build.reproducibleBuild}{noformat} to 
enable/disable this feature with a one-liner.

Regards

> Support reproducible builds
> ---------------------------
>
>                 Key: MNG-6276
>                 URL: https://issues.apache.org/jira/browse/MNG-6276
>             Project: Maven
>          Issue Type: New Feature
>          Components: core, General
>            Reporter: Paolo Sacconier
>
> A venerable build system like maven should support full build reproduibilty 
> (i.e. producing bit a bit identical binaries from the same source).
> As initiatives like https://reproducible-builds.org gain traction and the 
> news of the recent Debian policy change to mandate this build behavior (see 
> https://reproducible.alioth.debian.org/blog/posts/121/), this seems a feature 
> that needs to be considered for inclusion into maven core.
> There is an indipendent ongoing effort to support this feature and the author 
> stated that he has found interest from maven project to integrate his work: 
> https://github.com/Zlika/reproducible-build-maven-plugin/issues/6#issuecomment-325005883
> I hope this issue helps kickstart the effort.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to