[jira] [Commented] (MNG-6859) Build not easily reproducible when built from source release archive

Michael Osipov (Jira) Fri, 02 Jul 2021 05:12:06 -0700


    [ 
https://issues.apache.org/jira/browse/MNG-6859?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17373470#comment-17373470
 ]


Michael Osipov commented on MNG-6859:
-------------------------------------

Fixed with 
[b5ee58338127ed9f8e775d9ea5c547469b9a5484|https://gitbox.apache.org/repos/asf?p=maven.git;a=commit;h=b5ee58338127ed9f8e775d9ea5c547469b9a5484]
 for {{maven-3.8.x}} branch.

> Build not easily reproducible when built from source release archive
> --------------------------------------------------------------------
>
>                 Key: MNG-6859
>                 URL: https://issues.apache.org/jira/browse/MNG-6859
>             Project: Maven
>          Issue Type: Improvement
>          Components: Bootstrap &amp; Build, General
>    Affects Versions: 3.6.3
>            Reporter: Michael Osipov
>            Assignee: Michael Osipov
>            Priority: Major
>             Fix For: 3.8.2, 4.0.0, 4.0.0-alpha-1
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> When build from the source tarball, we don't have Git revision information 
> which means the non-canonical tag with a timestamp is used. This breaks 
> reproducibility, or at least makes reproducibility harder: you have to add a 
> command line argument {{-DbuildNumber=...git commit...}}, as explained in 
> 3.6.3 release notes [https://maven.apache.org/docs/3.6.3/release-notes.html]
>  
> Before patch:
> {noformat}
> [~/Projekte/maven]$ git clone ...
> [~/Projekte/maven]$ mvn clean package -Papache-release
> [~/Projekte/maven]$ cp 
> apache-maven/target/apache-maven-3.7.0-SNAPSHOT-src.tar.gz ~
> [~]$ tar xzf apache-maven-3.7.0-SNAPSHOT-src.tar.gz
> [~]$ cd apache-maven-3.7.0-SNAPSHOT/
> [~/apache-maven-3.7.0-SNAPSHOT]$ mv 
> apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz 
> ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1
> [~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package
> [~/apache-maven-3.7.0-SNAPSHOT]$ mv 
> apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz 
> ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2
> [~/apache-maven-3.7.0-SNAPSHOT]$ cd
> [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1
> SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1) = 
> a38ea894346edea14cde621dfe11d5d82e0a9330e430c1fe0538f67581057001
> [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2
> SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2) = 
> 404798fc51cbcfa6201e23f0e215c6d9d43aeeea0c4383a9cf5e4a0b443e4a21
> [~]$ diffoscope apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1 
> apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2
> --- apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1
> +++ apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2
> │ --- apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1-content
> ├── +++ apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2-content
> │ ├── file list
> │ │ @@ -71,15 +71,15 @@
> │ │ -rw-r--r-- 0 root (0) root (0) 2497 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/javax.inject-1.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 5848 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/jsr250-api-1.0.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 263253 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/plexus-utils-3.3.0.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 27703 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/plexus-sec-dispatcher-1.4.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 13350 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/plexus-cipher-1.7.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 41424 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/slf4j-api-1.7.29.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 501879 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/commons-lang3-3.8.1.jar
> │ │ --rw-r--r-- 0 root (0) root (0) 631758 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar
> │ │ +-rw-r--r-- 0 root (0) root (0) 631756 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 27163 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-repository-metadata-3.7.0-SNAPSHOT.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 57769 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-artifact-3.7.0-SNAPSHOT.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 66243 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-provider-3.7.0-SNAPSHOT.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 180696 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-impl-1.4.1.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 36732 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-spi-1.4.1.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 379197 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/org.eclipse.sisu.inject-0.3.4.jar
> │ │ -rw-r--r-- 0 root (0) root (0) 4225 2019-11-07 12:32:18.000000 
> apache-maven-3.7.0-SNAPSHOT/lib/plexus-component-annotations-2.1.0.jar
> │ ├── apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar
> │ │┄ Command `zipinfo /dev/stdin` exited with 9. Output:
> │ │┄ <none>
> │ │ @@ -18070,21416 +18070,21416 @@
> │ │ 00046950: b8ca f012 4689 da22 2f39 42cd 9313 9b31 ....F.."/9B....1
> │ │ 00046960: 3b64 c7f5 f858 4a54 9d4c 815b c899 2cca ;d...XJT.L.[..,.
> │ │ 00046970: fdbc f841 8e0b 991c fb38 f3f3 bdac b5bf ...A.....8......
> │ │ 00046980: a475 a0a4 75b0 9826 f3a0 84b4 3fd0 ace2 .u..u..&....?...
> │ │ 00046990: 1089 f88d cc1e f652 c9af 8f5b 715b b156 .......R...[q[.V
> │ │ 000469a0: 6ff7 d677 785f 9d68 64ed 09fe 1578 3776 o..wx_.hd....x7v
> │ │ 000469b0: 87ea ff02 504b 0304 1400 0008 0800 0964 ....PK.........d
> │ │ -000469c0: 674f 0086 3a5d 2b02 0000 ba03 0000 2a00 gO..:]+.......*.
> │ │ +000469c0: 674f 9b8f 191e 2902 0000 ba03 0000 2a00 gO....).......*.
> │ │ 000469d0: 0000 6f72 672f 6170 6163 6865 2f6d 6176 ..org/apache/mav
> │ │ 000469e0: 656e 2f6d 6573 7361 6765 732f 6275 696c en/messages/buil
> │ │ 000469f0: 642e 7072 6f70 6572 7469 6573 6552 4b6f d.propertieseRKo
> │ │ -00046a00: da40 10be f32b 4670 4954 3086 aaad 44c5 .@...+FpIT0...D.
> │ │ -00046a10: c125 a058 2576 c53a 8d72 8ad6 f660 af6a .%.X%v.:.r...`.j
> │ │ -00046a20: efba bb6b 1cfe 7dc7 0f12 aa5c 40de 996f ...k..}....\@..o
> │ │ -00046a30: e67b cc04 f622 4169 3005 abc0 e608 5ec5 .{..."Ai0.....^.
> │ │ -00046a40: 13fa 63ea 681b ae11 76aa 9629 b742 49b8 ..c.h...v..).BI.
> │ │ -00046a50: f1d8 ee16 e813 3528 89a3 0928 0da5 a2a6 ......5(...(....
> ...
> {noformat}
> After patch:
> {noformat}
> [~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package
> [~/Projekte/maven]$ mv 
> apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz 
> ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1
> [~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package
> [~/Projekte/maven]$ mv 
> apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz 
> ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2
> [~/apache-maven-3.7.0-SNAPSHOT]$ cd
> [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1
> SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1) = 
> c467f2c45239d2f8c9c61bee7fba5ffc0680a6c2e3516a89c71a83e95ef76cd6
> [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2
> SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2) = 
> c467f2c45239d2f8c9c61bee7fba5ffc0680a6c2e3516a89c71a83e95ef76cd6
> [~]$ diffoscope apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1 
> apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2
> [~]$ echo $?
> 0
> {noformat}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Commented] (MNG-6859) Build not easily reproducible when built from source release archive

Reply via email to