[
https://issues.apache.org/jira/browse/MNG-6276?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16196294#comment-16196294
]
Daniel Wegener commented on MNG-6276:
-------------------------------------
I wrote about this topic last year:
https://blog.holisticon.de/2016/10/reproducible-builds-in-java/
TL;DR:
- given the same environment, javac's classfile output is stable
- jar's uses zip which contains entry-timstamps which we must set to a fixed
value (or a somewhat non-arbitrary default)
- maven-archiver-plugin may parallelize the packaging which may results in
arbitrary entry order in the packaged artifact
- the archiver plugin iterates the files which are to be packaged in
file-system order which may differ across plaforms
- I have not tested how the "standard tooling", the jar command line tool
(http://docs.oracle.com/javase/8/docs/technotes/tools/unix/jar.html) behaves
> Support reproducible builds
> ---------------------------
>
> Key: MNG-6276
> URL: https://issues.apache.org/jira/browse/MNG-6276
> Project: Maven
> Issue Type: New Feature
> Components: core, General
> Reporter: Paolo Sacconier
>
> A venerable build system like maven should support full build reproducibilty
> (i.e. producing bit a bit identical binaries from the same source).
> As initiatives like https://reproducible-builds.org gain traction and the
> news of the recent Debian policy change to mandate this build behavior (see
> https://reproducible.alioth.debian.org/blog/posts/121/), this seems a feature
> that needs to be considered for inclusion into maven core & core plugins.
> There is an independent ongoing effort to support this feature and the author
> stated that he has found interest from maven project to integrate his work:
> https://github.com/Zlika/reproducible-build-maven-plugin/issues/6#issuecomment-325005883
> I hope this issue helps kickstart the effort.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
