cannot reproduce official binaries

qos-ch / reload4j

reload4j is a drop-in replacement for log4j 1.2.17

Apache License 2.0

148 stars 22 forks source link

cannot reproduce official binaries #57

Closed hboutemy closed 1 year ago

hboutemy commented 1 year ago

reload4j has near full Reproducible Build: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/ch/qos/reload4j/README.md

but there is only one strange difference:

├── META-INF/MANIFEST.MF
│ @@ -2,15 +2,14 @@

│  Implementation-Vendor: QOS.CH Sarl (Switzerland)

│ -Originally-Created-By: Apache Maven Bundle Plugin 5.1.4

│  Export-Package: org.apache.log4j;version="1.2.22";uses:="org.apache.lo

how was this Originally-Created-By field injected in published binaries? Should the rebuild script do more than just mvn package to get this field injected? (I did not see any profile for that in project's pom.xml)

ceki commented 1 year ago

Hi @hboutemy,

Thank you for your message. I love the idea of https://github.com/jvm-repo-rebuild/reproducible-central.

There is the maven-bundle-plugin declaration on line 297 of relaod4j/pom.xml. Have you noticed that?

how was this Originally-Created-By field injected in published binaries?

The following command is invoked command to deploy artifacts on Maven Central:

mvn deploy -P javadocjar,sign-artifacts

I noticed the toolchains profile but I do no think it is used at all.

hboutemy commented 1 year ago

Hi @ceki ,

I love the idea of https://github.com/jvm-repo-rebuild/reproducible-central.

thank you, it's a huge work, I'm happy that you find it useful

The following command is invoked command to deploy artifacts on Maven Central: mvn deploy -P javadocjar,sign-artifacts

oh, I now understand: you run mvn twice = once to build initially, once to deploy and bundle plugin modifies the output on the second run...

ok, I think I'll be able to tweak my rebuild script to do that double mvn invocation process

in the future, I suggest you to clean first when deploying = mvn clean deploy -P javadocjar,sign-artifacts

hboutemy commented 1 year ago

woohoo, now I am able to reproduce release 1.2.22! https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/ch/qos/reload4j/README.md

notice: you can also by just running ./rebuild.sh content/ch/qos/reload4j/reload4j-1.2.22.buildspec

ceki commented 1 year ago

I am very happy to hear that. Awesome news.