Hi Til, I'm out of ideas as well.
Perhaps we should start a thread on the maven dev list (cc: jdo-dev)? Craig > On Feb 14, 2022, at 1:42 AM, Tilmann <tilmann_...@gmx.de> wrote: > > Hi Craig, > > yes, I think generally (e.g. C++) reproducible builds are good and can > be quite useful. With Java, it's a bit more limited, I assume the main > problems are the JDK version, dependencies (e.g. .pom with version > ranges) and the build platform (Windows line breaks, JNI dependencies, > ...); after all, in Java we deliver a .jar file, not a binary. > --> I am all in favor of having reproducible builds. > > What I do not understand at the moment is the benefit of: > > |mvn clean install mvn clean package artifact:compare| > > It compares a local build with another local build, so it's avoiding all > the things that could possibly fail (JDK, dependencies, platform), at > least as far as I can tell. How can this ever fail? In what way does > this check for build reproducibility? > > I'm sure I a missing something here... > > Regards, > Til > > > a nice to have. > > On 12/02/2022 02:17, Craig Russell wrote: >> Hi Til, >> >> I had a brief look at the internets and found some interesting commentary on >> the subject.https://reproducible-builds.org/docs/deterministic-build-systems/ >> >> I didn't spend much time, but there are a few things that I took away from >> that. I think that Java makes it easier because given any machine supporting >> Java (specific version) will produce reproducible results if some rules are >> followed. This is not the case for other compilers that actually might >> produce different results on different machines. >> >> Anyway, I still think it's good to verify reproducible results in our >> project. >> >> Regards, >> Craig >> >>> On Feb 11, 2022, at 5:15 AM, Tilmann<tilmann_...@gmx.de> wrote: >>> >>>> The plugin compare the artifacts in the maven repository with the >>> ones in the target directory by creating buildinfos for the artifacts >>> and comparing them. >>> >>> So the process compares two builds that have been built locally on the >>> same machine. I don't think I understand how this is meant to work (I >>> had a look at >>> https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no >>> luck): >>> - If I build both version locally, why they would ever differ? >>> - Is there a way to use this process to detect any problems caused by >>> building on different machines/environment (because it is always run on >>> the same machine)? It seems like one has to copy builds from another >>> machine or at least set-up a private repository that can be accessed by >>> multiple machines...? >>> >>> Til >>> >>> >>> >>> On 10/02/2022 22:33, Michael Bouschen wrote: >>>> Hi, >>>> >>>> our JDO build is now reproducible, I just have to follow the >>>> instructions given by hboutemy. >>>> >>>> First I call 'mvn clean install' which builds all the artifacts and >>>> stores them in the local maven repository. >>>> Then I call 'mvn clean package artifact:compare' which build the >>>> artifacts again, but only in the target directory. >>>> The plugin compare the artifacts in the maven repository with the ones >>>> in the target directory by creating buildinfos for the artifacts and >>>> comparing them. >>>> >>>> This process also works for SNAPSHOT versions. >>>> >>>> Regards Michael >>>> >> Craig L Russell >> c...@apache.org >> Craig L Russell c...@apache.org
