search

OpenAPITools / openapi-diff

Utility for comparing two OpenAPI specifications.
Apache License 2.0
823 stars 154 forks source link

Using maven plugin prevents building from tarball #299

Closed dvzrv closed 2 years ago

dvzrv commented 2 years ago

Hi! When packaging 2.0.0 for Arch Linux I realized that the tool can not be built from a tarball of a release as long as there is the git hooks maven plugin in use:

https://github.com/OpenAPITools/openapi-diff/blob/ed6345ee792f86ba20397356bc08066ac53373b2/pom.xml#L290-L294

https://github.com/OpenAPITools/openapi-diff/blob/ed6345ee792f86ba20397356bc08066ac53373b2/pom.xml#L349-L366

As this seems to be only for code formatting, is it possible to circumvent its use (aside from removal), when using mvn clean install?

joschi commented 2 years ago

You can disable the githook-maven-plugin by setting the system property githook.plugin.skip to false.

https://github.com/phillipuniverse/githook-maven-plugin#additional-configuration-options

joschi commented 2 years ago

@dvzrv Why would you build the project from scratch when you could download the official JAR from Maven Central? It's not like your byte code would be any different.

dvzrv commented 2 years ago

You can disable the githook-maven-plugin by setting the system property githook.plugin.skip to false.

Thanks, I will look into that! :)

Why would you build the project from scratch when you could download the official JAR from Maven Central?

We generally build everything (that we can) from source. This allows for reproducibility and not being affected by supply chain attacks on a binary repository such as maven central or a compromised build infrastructure in which the official jar is being built. Furthermore Arch Linux invests into having reproducible builds for all of its packages.

It's not like your byte code would be any different.

In fact, it would be, because maven builds are usually not bit-by-bit reproducible, unless configured so (for this purpose strip-nondeterminism is currently used to strip the resulting jar from nondeterministic strings such as timestamps).

joschi commented 2 years ago

In fact, it would be, because maven builds are usually not bit-by-bit reproducible

Yeah, I've heard that one before. 😉 https://github.com/dropwizard/dropwizard/commit/c9158ff430c77fd0eb30f61f5a6b5ca185ed69e5

joschi commented 2 years ago

@dvzrv This issue should've been resolved via #300 and #301.

dvzrv commented 2 years ago

@joschi many thanks! :heart: