Closed
Description
openedon Apr 10, 2024
https://reproducible-builds.org explains the reasons why reproducible builds are desirable. Some known issues related to reproducible builds:
project.build.outputTimestamp
is not configured as recommended in https://maven.apache.org/guides/mini/guide-reproducible-builds.html- https://maven.apache.org/guides/mini/guide-reproducible-builds.html notes that maven-release-plugin version 3.0.0-M1 or later will automatically update the
project.build.outputTimestamp
property inpom.xml
during the release in the same commit that updates version but that "if you have a custom release process tooling, you'll need to add the feature to your release tooling." https://github.com/jenkinsci/incrementals-tools is missing this feature. - Use of
Properties#store
(e.g., in Stapler) adds timestamps to every generated resource file — though perhaps this could be worked around by specifying-Djava.properties.date
on recent Java versions or using a customWriter
that chomps comment lines - JAR and JPI artifacts created by
maven-hpi-plugin
do not callMavenArchiver#configureReproducibleBuild
as recommended in https://s.apache.org/reproducible-builds - Even with an explicit source and target defined, each major JDK version changes the generated bytecode
- https://maven.apache.org/guides/mini/guide-reproducible-builds.html notes that
maven-javadoc-plugin
requires<notimestamp>true</notimestamp>
configuration in<pluginManagement>
for use both from plugins and reports; this may or may not be an issue in Jenkins plugin builds - Different line breaks on Unix versus Windows systems are a common problem, which may or may not apply to Jenkins plugin builds
There may be additional issues beyond what is listed above. Further investigation is needed to determine how to achieve this goal.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment