On Fri, 10 Dec 2021 19:16:49 GMT, John Neffenger <[email protected]> wrote:
>>> Thanks, CSR now Finalized >> >> Just a minor note: the CSR uses the adjective "extended" in three places for >> the DOS date and time field, but that field is actually a part of the >> original ZIP specification and not in an extended field. This implementation >> make a point never to touch the "Extended Timestamp Extra Field" defined in >> the 1997 [Info-ZIP Application Note 970311][1]. >> >> Maybe the confusion was from the required ISO 8601 extended format (rather >> than basic). >> >> [1]: >> https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/util/zip/ZipEntry.html#setExtra(byte%5B%5D) > >> @jgneff John, I know you have an interest in this, what is your urgency for >> this support? jdk-18 or 19 ? > > It's not urgent. I'm just being impatient. 😄 > > If this pull request is integrated only into JDK 19, JavaFX won't be able to > support reproducible builds until OpenJFX 20 in March 2023. Java projects in > general are late to the reproducible builds party. Debian, for example, > builds 31,571 packages and [less than three percent fail][1] to build in a > reproducible manner. Those failing packages include OpenJDK and OpenJFX. > Debian plans eventually to make [reproducibility a requirement][2], and other > distributions may follow. > > The only true urgency, of course, is to provide Java project owners better > tools to detect the next supply chain attack on the packages they distribute. > > [1]: > https://tests.reproducible-builds.org/debian/bookworm/index_suite_amd64_stats.html > [2]: https://www.debian.org/doc/debian-policy/ch-source.html#reproducibility @jgneff thanks John, i'm going to raise the JEP 3 request and see where I get, as I concur with your statement: > The only true urgency, of course, is to provide Java project owners better > tools to detect the next supply chain attack on the packages they distribute. The risk is minimal, also given the extensive testing we have done. ------------- PR: https://git.openjdk.java.net/jdk/pull/6481
