[
https://issues.apache.org/jira/browse/MPOM-255?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17378946#comment-17378946
]
Herve Boutemy commented on MPOM-255:
------------------------------------
{quote}but to be honest reproducible builds for pom only projects don't seem to
be that reasonable.
{quote}
Apache official release is source = source-release.zip: do you think it is not
reasonable to achieve reproducibility for Apache official release?
And I will anticipate a little bit: with Maven 4 differentiating build vs
consumer POM, in the future, the published pom.xml will be different from
pom.xml in Git, then checking its reproducibility won't seem so trivial
And even for now: did you know that from one unique content in Git, there can
be 2 different pom.xml content published to Central, based on the OS from the
release manager (Windows or not)?
do you confirm "reproducible builds for pom only projects don't seem to be that
reasonable"?
{quote}This is not that easy to achieve as the rule requireProperty does not
distinguish between inherited and local properties
{quote}
I know I know, that's why I should have reviewed this issue before because I
should have anticipated there was something broken in the implementation
Notice: I don't judge, I'm not angry, I know that all was done with best
intentions and I hoped that you had found the right way to do the check because
I loved the intent. Thank you for all your efforts
> Enforce local property "project.build.outputTimestamp" for reproducible builds
> ------------------------------------------------------------------------------
>
> Key: MPOM-255
> URL: https://issues.apache.org/jira/browse/MPOM-255
> Project: Maven POMs
> Issue Type: Improvement
> Components: asf
> Affects Versions: ASF-23
> Reporter: Konrad Windszus
> Assignee: Michael Osipov
> Priority: Major
> Fix For: ASF-24
>
>
> In case the release's root pom.xml doesn't overwrite
> "project.build.outputTimestamp" it takes the value from
> [https://github.com/apache/maven-apache-parent/blob/4813409e6a1ecfea11c8eb22a5f0443f790f1454/pom.xml#L95.]
> Instead of the fallback an enforcer rule should be added to require a
> property "project.build.outputTimestamp" to be set in the right format for
> reproducible builds to work
> ([https://maven.apache.org/guides/mini/guide-reproducible-builds.html#how-do-i-configure-my-maven-build])
> for every pom.xml locally.
> Only that way the timestamps are automatically adjusted with each release
> (https://issues.apache.org/jira/browse/MRELEASE-1029)
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
