[jira] [Updated] (MSOURCES-137) Artifacts generated by maven-source-plugin are not reproducible because they depend on the umask

Andreas Veithen (Jira) Mon, 12 Jun 2023 23:56:06 -0700


     [ 
https://issues.apache.org/jira/browse/MSOURCES-137?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Andreas Veithen updated MSOURCES-137:
-------------------------------------
    Description: 
It appears that inside the archive created by maven-source-plugin, the 
permissions of {{META-INF/maven/*/*/pom.properties}} depend on the current 
umask.

Steps to reproduce:
{code:java}
$ umask 022
$ mvn clean install
$ umask 002
$ mvn clean verify artifact:compare
{code}
This can be used on any project attaching a source jar (e.g. 
[https://github.com/apache/ws-axiom/]).

Example diffoscope output:
{code:java}
--- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
+++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
│┄ Archive contents identical but files differ, possibly due to different 
compression levels. Falling back to binary comparison.
├── zipinfo {}
│ @@ -14,9 +14,9 @@
│  -rw-r--r--  2.0 unx      170 b- defN 22-Mar-13 11:17 META-INF/NOTICE
│  -rw-r--r--  2.0 unx     1365 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/FactoryMethod.java
│  -rw-r--r--  2.0 unx     1101 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Inject.java
│  -rw-r--r--  2.0 unx     1095 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Mixin.java
│  -rw-r--r--  2.0 unx     1100 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Singleton.java
│  -rw-r--r--  2.0 unx     1136 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/WeavablePackage.java
│  -rw-r--r--  2.0 unx     1411 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.xml
│ --rw-r--r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
│ +-rw-rw-r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
│  20 files, 19157 bytes uncompressed, 8089 bytes compressed:  57.8%
│   --- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
├── +++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
│ @@ -676,15 +676,15 @@
│  00002a30: 0000 0000 0000 a481 b020 0000 4d45 5441  ......... ..META
│  00002a40: 2d49 4e46 2f6d 6176 656e 2f6f 7267 2e61  -INF/maven/org.a
│  00002a50: 7061 6368 652e 7773 2e63 6f6d 6d6f 6e73  pache.ws.commons
│  00002a60: 2e61 7869 6f6d 2f61 7869 6f6d 2d77 6561  .axiom/axiom-wea
│  00002a70: 7665 722d 616e 6e6f 7461 7469 6f6e 732f  ver-annotations/
│  00002a80: 706f 6d2e 786d 6c50 4b01 0214 0314 0000  pom.xmlPK.......
│  00002a90: 0808 0022 5a6d 54b9 68bb 2558 0000 005f  ..."ZmT.h.%X..._
│ -00002aa0: 0000 0052 0000 0000 0000 0000 0000 00a4  ...R............
│ +00002aa0: 0000 0052 0000 0000 0000 0000 0000 00b4  ...R............
│  00002ab0: 81e8 2300 004d 4554 412d 494e 462f 6d61  ..#..META-INF/ma
│  00002ac0: 7665 6e2f 6f72 672e 6170 6163 6865 2e77  ven/org.apache.w
│  00002ad0: 732e 636f 6d6d 6f6e 732e 6178 696f 6d2f  s.commons.axiom/
│  00002ae0: 6178 696f 6d2d 7765 6176 6572 2d61 6e6e  axiom-weaver-ann
│  00002af0: 6f74 6174 696f 6e73 2f70 6f6d 2e70 726f  otations/pom.pro
│  00002b00: 7065 7274 6965 7350 4b05 0600 0000 0014  pertiesPK.......
│  00002b10: 0014 0057 0600 00b0 2400 0000 00         ...W....$....
{code}
Note that although maven-jar-plugin adds the same {{pom.properties}} file to 
the archive, it isn't affected by this problem.

I discovered this while trying to check the reproducibility of Apache Axiom 
builds in a Github Codespace, where file permissions are set in a peculiar way; 
see [https://github.com/orgs/community/discussions/26026].

  was:
It appears that inside the archive created by maven-source-plugin, the 
permissions of 
{{META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties}}
 depend on the current umask.

Steps to reproduce:

{code}
$ umask 022
$ mvn clean install
$ umask 002
$ mvn clean verify artifact:compare
{code}

This can be used on any project attaching a source jar (e.g. 
https://github.com/apache/ws-axiom/).

Example diffoscope output:

{code}
--- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
+++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
│┄ Archive contents identical but files differ, possibly due to different 
compression levels. Falling back to binary comparison.
├── zipinfo {}
│ @@ -14,9 +14,9 @@
│  -rw-r--r--  2.0 unx      170 b- defN 22-Mar-13 11:17 META-INF/NOTICE
│  -rw-r--r--  2.0 unx     1365 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/FactoryMethod.java
│  -rw-r--r--  2.0 unx     1101 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Inject.java
│  -rw-r--r--  2.0 unx     1095 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Mixin.java
│  -rw-r--r--  2.0 unx     1100 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/Singleton.java
│  -rw-r--r--  2.0 unx     1136 b- defN 22-Mar-13 11:17 
org/apache/axiom/weaver/annotation/WeavablePackage.java
│  -rw-r--r--  2.0 unx     1411 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.xml
│ --rw-r--r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
│ +-rw-rw-r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
│  20 files, 19157 bytes uncompressed, 8089 bytes compressed:  57.8%
│   --- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
├── +++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
│ @@ -676,15 +676,15 @@
│  00002a30: 0000 0000 0000 a481 b020 0000 4d45 5441  ......... ..META
│  00002a40: 2d49 4e46 2f6d 6176 656e 2f6f 7267 2e61  -INF/maven/org.a
│  00002a50: 7061 6368 652e 7773 2e63 6f6d 6d6f 6e73  pache.ws.commons
│  00002a60: 2e61 7869 6f6d 2f61 7869 6f6d 2d77 6561  .axiom/axiom-wea
│  00002a70: 7665 722d 616e 6e6f 7461 7469 6f6e 732f  ver-annotations/
│  00002a80: 706f 6d2e 786d 6c50 4b01 0214 0314 0000  pom.xmlPK.......
│  00002a90: 0808 0022 5a6d 54b9 68bb 2558 0000 005f  ..."ZmT.h.%X..._
│ -00002aa0: 0000 0052 0000 0000 0000 0000 0000 00a4  ...R............
│ +00002aa0: 0000 0052 0000 0000 0000 0000 0000 00b4  ...R............
│  00002ab0: 81e8 2300 004d 4554 412d 494e 462f 6d61  ..#..META-INF/ma
│  00002ac0: 7665 6e2f 6f72 672e 6170 6163 6865 2e77  ven/org.apache.w
│  00002ad0: 732e 636f 6d6d 6f6e 732e 6178 696f 6d2f  s.commons.axiom/
│  00002ae0: 6178 696f 6d2d 7765 6176 6572 2d61 6e6e  axiom-weaver-ann
│  00002af0: 6f74 6174 696f 6e73 2f70 6f6d 2e70 726f  otations/pom.pro
│  00002b00: 7065 7274 6965 7350 4b05 0600 0000 0014  pertiesPK.......
│  00002b10: 0014 0057 0600 00b0 2400 0000 00         ...W....$....
{code}

Note that although maven-jar-plugin adds the same {{pom.properties}} file to 
the archive, it isn't affected by this problem.

I discovered this while trying to check the reproducibility of Apache Axiom 
builds in a Github Codespace, where file permissions are set in a peculiar way; 
see https://github.com/orgs/community/discussions/26026.


> Artifacts generated by maven-source-plugin are not reproducible because they 
> depend on the umask
> ------------------------------------------------------------------------------------------------
>
>                 Key: MSOURCES-137
>                 URL: https://issues.apache.org/jira/browse/MSOURCES-137
>             Project: Maven Source Plugin
>          Issue Type: Bug
>    Affects Versions: 3.3.0
>            Reporter: Andreas Veithen
>            Priority: Minor
>
> It appears that inside the archive created by maven-source-plugin, the 
> permissions of {{META-INF/maven/*/*/pom.properties}} depend on the current 
> umask.
> Steps to reproduce:
> {code:java}
> $ umask 022
> $ mvn clean install
> $ umask 002
> $ mvn clean verify artifact:compare
> {code}
> This can be used on any project attaching a source jar (e.g. 
> [https://github.com/apache/ws-axiom/]).
> Example diffoscope output:
> {code:java}
> --- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
> +++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
> │┄ Archive contents identical but files differ, possibly due to different 
> compression levels. Falling back to binary comparison.
> ├── zipinfo {}
> │ @@ -14,9 +14,9 @@
> │  -rw-r--r--  2.0 unx      170 b- defN 22-Mar-13 11:17 META-INF/NOTICE
> │  -rw-r--r--  2.0 unx     1365 b- defN 22-Mar-13 11:17 
> org/apache/axiom/weaver/annotation/FactoryMethod.java
> │  -rw-r--r--  2.0 unx     1101 b- defN 22-Mar-13 11:17 
> org/apache/axiom/weaver/annotation/Inject.java
> │  -rw-r--r--  2.0 unx     1095 b- defN 22-Mar-13 11:17 
> org/apache/axiom/weaver/annotation/Mixin.java
> │  -rw-r--r--  2.0 unx     1100 b- defN 22-Mar-13 11:17 
> org/apache/axiom/weaver/annotation/Singleton.java
> │  -rw-r--r--  2.0 unx     1136 b- defN 22-Mar-13 11:17 
> org/apache/axiom/weaver/annotation/WeavablePackage.java
> │  -rw-r--r--  2.0 unx     1411 b- defN 22-Mar-13 11:17 
> META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.xml
> │ --rw-r--r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
> META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
> │ +-rw-rw-r--  2.0 unx       95 b- defN 22-Mar-13 11:17 
> META-INF/maven/org.apache.ws.commons.axiom/axiom-weaver-annotations/pom.properties
> │  20 files, 19157 bytes uncompressed, 8089 bytes compressed:  57.8%
> │   --- target/reference/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
> ├── +++ target/axiom-weaver-annotations-2.0.0-SNAPSHOT-sources.jar
> │ @@ -676,15 +676,15 @@
> │  00002a30: 0000 0000 0000 a481 b020 0000 4d45 5441  ......... ..META
> │  00002a40: 2d49 4e46 2f6d 6176 656e 2f6f 7267 2e61  -INF/maven/org.a
> │  00002a50: 7061 6368 652e 7773 2e63 6f6d 6d6f 6e73  pache.ws.commons
> │  00002a60: 2e61 7869 6f6d 2f61 7869 6f6d 2d77 6561  .axiom/axiom-wea
> │  00002a70: 7665 722d 616e 6e6f 7461 7469 6f6e 732f  ver-annotations/
> │  00002a80: 706f 6d2e 786d 6c50 4b01 0214 0314 0000  pom.xmlPK.......
> │  00002a90: 0808 0022 5a6d 54b9 68bb 2558 0000 005f  ..."ZmT.h.%X..._
> │ -00002aa0: 0000 0052 0000 0000 0000 0000 0000 00a4  ...R............
> │ +00002aa0: 0000 0052 0000 0000 0000 0000 0000 00b4  ...R............
> │  00002ab0: 81e8 2300 004d 4554 412d 494e 462f 6d61  ..#..META-INF/ma
> │  00002ac0: 7665 6e2f 6f72 672e 6170 6163 6865 2e77  ven/org.apache.w
> │  00002ad0: 732e 636f 6d6d 6f6e 732e 6178 696f 6d2f  s.commons.axiom/
> │  00002ae0: 6178 696f 6d2d 7765 6176 6572 2d61 6e6e  axiom-weaver-ann
> │  00002af0: 6f74 6174 696f 6e73 2f70 6f6d 2e70 726f  otations/pom.pro
> │  00002b00: 7065 7274 6965 7350 4b05 0600 0000 0014  pertiesPK.......
> │  00002b10: 0014 0057 0600 00b0 2400 0000 00         ...W....$....
> {code}
> Note that although maven-jar-plugin adds the same {{pom.properties}} file to 
> the archive, it isn't affected by this problem.
> I discovered this while trying to check the reproducibility of Apache Axiom 
> builds in a Github Codespace, where file permissions are set in a peculiar 
> way; see [https://github.com/orgs/community/discussions/26026].



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Updated] (MSOURCES-137) Artifacts generated by maven-source-plugin are not reproducible because they depend on the umask

Reply via email to