Please note the correction at the end: JDK 17 and 19 (and not JDK 18)
have the new '--date' option.
On 3/14/24 1:38 AM, Jelle van der Waa wrote:
MAVEN
==
That is new to me!
The Maven indirect support for SOURCE_DATE_EPOCH is really nice, but
they do have some version requirements,
On 3/12/24 4:04 PM, kpcyrd wrote:
3) Timestamps embedded in .jar files (unreproducible zip files are a big
thing for some reason).
Many of you may already know this, but just in case ... there is now
support in Apache Maven, Gradle, and the JDK itself to normalize the
timestamps in JAR
Thank you, Vagrant, for taking my concerns seriously. I realize you've
been working on this much longer than I have, so I appreciate your
perspective.
On 3/6/24 10:55 AM, Vagrant Cascadian wrote:
That means that we do not always support each other in all things, but
we can support each other
On 3/5/24 2:11 PM, Vagrant Cascadian wrote:
I have no way to change these choices.
Then clearly you have not been provided sufficient information,
configuration, software, etc. in order to reproduce the build!
Rather, I really can't change it or configure it any differently.
Three builds:
On 3/5/24 8:08 AM, John Gilmore wrote:
Our instructions for reproducing any package would have to identify what
container/chroot/namespace/whatever the end-user must set up to be able
to successfully reproduce a package.
And even then, it won't always work.
I need to verify the JavaFX builds
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
By the way, I think this person's argument falls apart here:
"The only way to verify that the untrusted binary is
On 12/14/22 11:30 AM, Bernhard M. Wiedemann via rb-general wrote:
He also once pointed me to
https://blog.cmpxchg8b.com/2020/07/you-dont-need-reproducible-builds.html
I also wonder how all this verification is going to work.
For example, I'll soon be providing reproducible builds of OpenJDK.
On 11/12/22 4:32 AM, Roland Clobus wrote:
Take a look at the difference in tomcat9:
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/diffoscope-results/tomcat9.html
I found it: Tomcat uses a tool called "bnd" to generate its
'module-info.class' files, but there was a bug in
On 11/11/22 4:52 PM, Rahul Rajesh Bajaj wrote:
Any input from the java folks would be appreciated.
The difference identified by Roland Clobus concerning the ordering of
files in the 'module-info.class' file might be a new bug. So far, I'm
unable to find anything related to it in the OpenJDK
On 11/11/22 4:52 PM, Rahul Rajesh Bajaj wrote:
Any input from the java folks would be appreciated.
I have two follow-up messages. First ...
Just for reference, I tested a default build using the 'main' branch of
the Apache Tomcat repository:
$ SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
$
On 5/16/22 6:00 PM, Chris Lamb wrote:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8286712
The live bug report is found here:
JDK-8286712: jar -M creates unreproducible archives, possibly via
extended ZIP attributes
https://bugs.openjdk.java.net/browse/JDK-8286712
I'm hoping
On 5/8/22 7:42 AM, Bernhard M. Wiedemann wrote:
however building JDK is still hard, so
I admit I've been doing it for a long time, but I find OpenJDK, after
about version 9, to be one of the easiest open-source projects to build.
You might be picking up any old Java version on your system
Starting yesterday, for the first time, the JDK can create reproducible
builds of the JDK!
Pull request 8478 [1] was the last reproducibility bug remaining in my
JDK builds on Linux, and it's included in the latest JDK 19+21
early-access build. [2] OpenJDK 19 will be generally available on
On 2/23/22 2:53 AM, Thomas Schmitt wrote:
From this i hope to correctly argue in favor of a standard timezone for
software that is delivered as reproducible FAT filesystem image:
It's not just for FAT filesystem images, but any software that stores a
timestamp in the "MS-DOS date and time"
On 1/4/22 10:47 AM, Vagrant Cascadian wrote:
If you forsee being a regularly contributor, please sign up for an
account at salsa.debian.org and we can get you access to the repository.
I have an account, but I completely missed the part in the original
message about submitting updates through
On 1/3/22 7:08 AM, Chris Lamb wrote:
Hi all,
Please review the draft for December's Reproducible Builds report:
https://reproducible-builds.org/reports/2021-12/?draft
Would it be helpful to add a section about upstream changes regarding
reproducible builds made by the upstream projects
On 9/6/21 2:17 AM, Magnus Ihse Bursie wrote:
But a larger issue than OpenJDK itself is to make sure that the tools from the
JDK are creating reproducible builds for all Java projects out there.
If anyone from the reproducible builds community has something to add to
the discussion, now is
On 9/6/21 2:17 AM, Magnus Ihse Bursie wrote:
But a larger issue than OpenJDK itself is to make sure that the tools
from the JDK are creating reproducible builds for all Java projects out
there.
If anyone from the reproducible builds community has something to add to the discussion, now is the
18 matches
Mail list logo
