On 2/25/2024, 2:49 PM Elliotte Rusty Harold wrote:
>> For #2, reproducible builds mean we have to be able to support what >> customers are using and that can be anything from Java 8 - 21. It is >> not sufficient to say Java 21 can compile to Java 8 since that does >> not produce the same byte code as compiling with Java 8. On 2/26/2024 8:22 PM, Benjamin Marwell wrote: > That is the point. > If you built the project with JDK 21 using the -release=8, you can get > the same (reproducible) output with a similar OS and JDK 21. I wrote about 6 or 7 paragraphs of word salad to essentially convey the same message as Benjamin. If the goal is verification of the artifact with respect to the code in the software repo, the verifier needs the same JDK version as the version used to produce the artifact being checked in order to compare binaries. The Java version can be any Java version and only depends on the producer of the artifact (the owner of the artifact). Obviously, this Java version needs to be equal or higher than the "release" version, but that is it. Claiming that if the release version is 8, the Java version must also be 8 seems quite incorrect. -- Ceki Gülcü Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
