stechio opened a new issue, #539: URL: https://github.com/apache/maven-jar-plugin/issues/539
### Affected version 3.5.0 ### Bug description Due to <https://github.com/apache/maven-jar-plugin/pull/73>, manifests generated via toolchain are populated with two additional entries (`Build-Jdk-Spec` and `Build-Tool-Jdk-Spec`); despite their informative usefulness, *they violate the principles of reproducible builds*: - `Build-Jdk-Spec` is *acceptable only if a project pins a specific JDK version* in its toolchain configuration, otherwise it may vary across build environments! - `Build-Tool-Jdk-Spec` is *straightforwardly harmful*, as it records the JDK running Maven itself, which is entirely independent from the build configuration! Consequently, **to ensure reproducible builds, it is fundamental to give users the ability to exclude such entries**, tying them to `addBuildEnvironmentEntries` configuration parameter. --- A temporary workaround may be to suppress them with empty declarations: ```xml <Build-Jdk-Spec/> <Build-Tool-Jdk-Spec/> ``` but that's far from ideal. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
