Publish a release with #4204

[glasser]

We use Jib primarily for reproducibility, so #4141 has been a big challenge for us. We are excited about the fix #4204 that were merged two weeks ago. Can a new release be created?

Environment:

All

Description of the issue:

Jib builds are not reproducible when run with the latest release unless we are very careful to install the right version of commons-compress

Expected behavior:

We can use the fix in #4204 without building our own JARs.

[izogfif]

While the next version of JIB is getting prepared for release, you may try this workaround:

I'm using multi-module Gradle project with buildSrc folder containing build scripts. I was able to achieve reproducible builds with JIB 3.4.1 like this: I modified buildSrc/build.gradle.kts file by adding constraints block in dependencies section:

dependencies {
    // Other dependencies
    implementation("com.google.cloud.tools:jib-gradle-plugin:3.4.1")
    constraints {
        implementation("org.apache.commons:commons-compress") {
            version {
                strictly("1.21")
                because("For reproducibility of JIB images")
            }
        }
    }
}

Unrelated to JIB, but related to Spring Boot and Jar packaging tasks: I also added these blocks:

springBoot {
    buildInfo {
        excludes.set(setOf("time"))
    }
}

tasks.withType<org.springframework.boot.gradle.tasks.bundling.BootJar> {
    isPreserveFileTimestamps = false
    isReproducibleFileOrder = true
}

tasks.withType<Jar> {
    isPreserveFileTimestamps = false
    isReproducibleFileOrder = true
}

Now running ./gradlew clean build jibBuildTar --no-build-cache produces same .tar file every time!

[carolosfw]

We are also impacted by this and we use Bazel. A release soon would be very much appreciated. Since apparently commons-compress 1.21 may have a vulnerability.

[mpeddada1]

jib-gradle-plugin:3.4.2 and jib-maven-plugin:3.4.2 have been released with the fix in #4204! Thanks again for your help @izogfif and @@bjornbugge!