search

MiniDNS / minidns

DNS library for Android and Java SE
Other
220 stars 61 forks source link

Remove date stamp to make the builds reproducible #111

Closed SunilMohanAdapa closed 3 years ago

SunilMohanAdapa commented 3 years ago

Context: I am part of the FreedomBox project and packaging Jitsi into Debian. minidns is a dependency of Jitsi and has been packaged and uploaded into Debian. minidns has failed to build reproducibly. The artifacts can be downloaded from the pipeline and examined using the diffoscope (package diffoscope in Debian) or other tools.

Problem: The jar file built minidns-core-1.0.0.jar contains the file org.minidns/version which in turn contains the date of the build. When built on different dates this leads to different jar files.

Expectation: minidns should build reproducibly. Reproducible builds are an important way to independently verify the integrity of the binaries. See the argument for reproducible builds.

Fix: Timestamps need not be part of the build output. They are best avoided. The following patch should fix the problem.

diff --git a/minidns-core/build.gradle b/minidns-core/build.gradle
index 5de0da9..be1064b 100644
--- a/minidns-core/build.gradle
+++ b/minidns-core/build.gradle
@@ -12,7 +12,7 @@ class CreateFileTask extends DefaultTask {
 }

 task createVersionResource(type: CreateFileTask) {
-   fileContent = version + ' (' + gitCommit + ' ' + builtDate + ')'
+   fileContent = version + ' (' + gitCommit ')'
    outputFile = new File(projectDir, 'src/main/resources/org.minidns/version')
 }
SunilMohanAdapa commented 3 years ago

Correction:

+   fileContent = version + ' (' + gitCommit + ')'
Flowdalic commented 3 years ago

How about a build switch that disables the timestamp? FYI you will find the smae also in jXMPP and Smack.

SunilMohanAdapa commented 3 years ago

A build flag would get the job done for Debian.

However, if the binaries published by this project (on maven, github, etc.) will contain that date stamp by default, then it is worth reconsidering if the data stamp is serving a good purpose (and if git commit id is not sufficient). In the wake of reproducible builds effort, many projects have dropped the time stamps from build output by default as they didn't find it useful enough.

Thanks for the heads up on jXMPP and Smack.

Flowdalic commented 3 years ago

However, if the binaries published by this project (on maven, github, etc.) will contain that date stamp by default, then it is worth reconsidering if the data stamp is serving a good purpose (and if git commit id is not sufficient). In the wake of reproducible builds effort, many projects have dropped the time stamps from build output by default as they didn't find it useful enough.

Yes, I will take this in consideration. Please also me to think about this a bit. I also considered adding an build-time override option, that allows you to set an arbitrary build time, including none. Meanwhile, feel encouraged to open PRs against MiniDNS, jxmpp and Smack that remove the build timestamp. But be aware that I want to sleep about it before I make a final decission.

SunilMohanAdapa commented 3 years ago

Thank you for your consideration. Will post PRs for jXMPP and Smack soon as I can test their reproducibility.