search

jakartaee / jakartaee-api

jakartaee-api
Other
39 stars 42 forks source link

make build reproducible #96

Closed hboutemy closed 10 months ago

hboutemy commented 3 years ago

see https://maven.apache.org/guides/mini/guide-reproducible-builds.html this will permit to add the next release to https://github.com/jvm-repo-rebuild/reproducible-central

once eclipse-ee4j/ee4j#71 is merged and parent upgraded, the project.build.outputTimestamp will be updated automatically during release

kwsutter commented 3 years ago

Hi @hboutemy. Can you please explain what problem is being resolved with this PR? And, the related https://github.com/eclipse-ee4j/ee4j/pull/71? Thanks.

hboutemy commented 3 years ago

@kwsutter sure

Objective implement Reproducible Builds https://reproducible-builds.org/

How High level view is to apply Maven mini-guide https://maven.apache.org/guides/mini/guide-reproducible-builds.html

  1. use newer plugins versions that support Reproducible Builds (here Maven Jar and Source plugins),
  2. activate Reproducible Builds mode of these plugins (by defining the timestamp value that will be used for archive entries) In addition, I removed useDefaultManifestFile parameter because it is deprecated https://maven.apache.org/plugins/maven-jar-plugin/jar-mojo.html

On future new releases of your projects that did such a config, Reproducible Central will try to rebuild and check that the reference "official" build result can be effectively reproduced bit for bit, proving that the objective is attained = binaries that everybody downloads can also be rebuilt from sources; there is no hidden trick between source and binaries

For Jakarta EE reference binaries, I think this is something that has even more value than any other projects And it can help promote the practice, because Reproducible Builds is not sufficiently well known, and the fact that it is proved feasible and not so hard to do... I you agree, I'll help on updating every piece of Jakarta EE in the future

lprimak commented 1 year ago

@kwsutter @starksm64 This definitely has value and needs to be merged.

hboutemy commented 1 year ago

PR rebased to ease merge

lprimak commented 10 months ago

@ivargrimstad Is there anything precluding this from being merged? Now that the APIs are just POM files, this should be trivial.

thank you!

ivargrimstad commented 10 months ago

I don't think this PR is necessary any longer as it is fixed by the parent pom.

lprimak commented 10 months ago

Can we go ahead and close it then?

ivargrimstad commented 10 months ago

Fixed by Parent pom