last updates: - tar.gz archives are now also reproducible (in addition to .zip) - src archives are also built and reproducible (notice that the result is the same on every JDK version of a platform. Notice 2: if you don't get the same result than CI, check that you don't have IDE configuration files that went into your local source archives...) - artifacts built on ASF CI are available, for people to download and compare if you get a different result: https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven/job/reproducible/lastSuccessfulBuild/artifact/org/apache/maven/apache-maven/3.6.3-SNAPSHOT/
I'll share shortly a discussion on a choice we need to do together to define how to configure reproducible builds (property name and value/format of current source-date-epoch defined in PoC) Once this decision is made, we can start release packaging plugins that support "native" reproducible builds https://reproducible-builds.org/ Regards, Hervé Le lundi 23 septembre 2019, 01:52:48 CEST Hervé BOUTEMY a écrit : > after a few years of testing, thinking, procrastination and hard work (thank > you Thomas for your talk at Devoxx France 2016 [1]), I think I achieved a > key step this week-end toward native Reproducible Builds with Maven [2]: > Maven core itself can be built in a reproducible way! > > It means that if you build "reproducible" branch of Maven core, you'll get > the same apache-maven-3.6.3-SNAPSHOT-bin.zip than me or the ASF CI server > [3]. The precise result depends only on 2 key facts: > - do you build on Windows or any Unix? This impacts newlines... > - what JDK major version do you use to build? This affects generated .class > (notice: AFAIK minor JDK version does not have any impact, nor platform) > > This branch is only a PoC: it uses unreleased packaging plugins that give > reproducible results (versions in .RB-SNAPSHOT), and I had to tweak a > little bit the build for remaining reproduciblity issues with sisu and > plexus plugins. There are many details to decide before releasing these > plugins and making every build reproducible by default. But the current > steps proves that is is feasible. > > Interested in joining the effort to bring this feature to releases for end > users? > > Regards, > > Hervé > > > [1] > http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/sli > des_fr.html > > [2] > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318 > > [3] > https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven/job/r > eproducible/ > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
