reproducible-build-maven-plugin icon indicating copy to clipboard operation
reproducible-build-maven-plugin copied to clipboard

Published 20 hours ago verified publisher icon Zlika

Clarify the difference of latest maven support for reproducible build and features of plugin

Open zeldigas opened this issue 3 years ago • 8 comments
trafficstars

Hello, first I'd like to thank you again for this great plugin - I'm long time user and it helps us a lot to get reproducible artifacts.

Now getting back to issue. Right now docs mention that

Recent versions of the main Maven plugins have been modified to allow reproducible builds without the use of this plugin

I feel that by reading this, potential user might get puzzled - "What should I choose then?". Would be great to list some use-cases when stock maven functionality will be enough (I suppose it is something like building plain jar file in regular env) and scenarios when it will not be enough and using this plugin will be way more easier (or the only way to do things).

I assume this is related with some processing of custom files like properties (e.g. spring.factories) or fixing permissions of archive entries that was added in #24, but still.

zeldigas avatar Dec 28 '21 19:12 zeldigas

I would love to know this as well because I think that almost everything is now available out of the box from Maven ecosystem.

michael-o avatar Jan 04 '22 19:01 michael-o

Hi all, Lots of Maven plugins have been updated to be compatible with reproducible builds (cf. https://maven.apache.org/guides/mini/guide-reproducible-builds.html and https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318). I don't have a precise list of all the features of this plugin vs all the maven plugins that have been fixed, so the best way to know if this plugin is still useful for your project is to test the reproducibility without/with this plugin.

Zlika avatar Jan 06 '22 17:01 Zlika

Hopefully we can retire this plugin this year and have everything by default available.

michael-o avatar Jan 06 '22 18:01 michael-o

Hi Thomas; I just proposed #57 to make the plugin's build reproducible, so the next release published to central can be reproduced.

On comparing what you did in this plugin (that was my starting point with you a few years ago, what a great work together) vs what is covered nowadays, we wrote the feature in the documentation http://zlika.github.io/reproducible-build-maven-plugin/ in the goal paragraph:

  1. strip-jar fixes normal jars reproducibility: AFAIK, maven-jar-plugin now does the job
  2. strip-jaxb fixes noise introduced by jaxb: AFAIK, it's yet to be fixed, as seen in https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/isis/isis-all-2.0.0-M7.diffoscope

Then I think only the strip-jaxb is still relevant nowadays

I'll be at Devoxx France in 1 month, I hope to see you there :)

hboutemy avatar Mar 15 '22 00:03 hboutemy

Thanks @hboutemy. I was not able to find a ticket for Devoxx Fr this time, I'll try Devoxx Belgium... Do you plan a talk to present these new Maven reproducible build features?

Zlika avatar Mar 15 '22 10:03 Zlika

I did not submit any talk yet: I probably should, given there are many visible results, and still much to do...

hboutemy avatar Mar 15 '22 17:03 hboutemy

There is still a good use case for reproducible-build-maven-plugin to process jar files generated by proguard (see https://github.com/wvengen/proguard-maven-plugin/issues/279)

ebourg avatar Jul 06 '24 21:07 ebourg

There is still a good use case for reproducible-build-maven-plugin to process jar files generated by proguard (see wvengen/proguard-maven-plugin#279)

https://github.com/Guardsquare/proguard/issues/414

michael-o avatar Jul 06 '24 21:07 michael-o