temurin-build icon indicating copy to clipboard operation
temurin-build copied to clipboard
verified publisher icon adoptium

Enable Reproducible User linux builds via Devkits

Open adamfarley opened this issue 2 years ago • 8 comments

Summary

I propose we use devkits to build Temurin binaries at Adoptium.

The Reasoning

Using devkits to enable cross-compilation of Temurin binaries makes sense to me, as it reduces the number of build machines needed for ea builds. It also reduces the number of machines at release time, if we are prepared to wait a little for secondary/tertiary/quaternary platforms.

Devkits appear explicitly supported at OpenJDK, as we see here in the section "Cross compiling the easy way with OpenJDK devkits".

The use of cross-sompilation-enabling devkits also plays further into our concurrency strategy, best evidenced by the concurrency settings you can find in Adoptium's testing infrastructure. Only have one machine? Run the tests serially. Have 2+ machines? Run the tests in parallel and aggregate the results.

Using devkits allows us to scale our build infrastructure the same way, whether we have one machine available, or one hundred.

Also, the use of devkits could enable us to remove release blockers. Got no Linux ppcle machine available? You can't build. This allows us to sidestep the issue (for building, if not testing), and provides a more robust build framework that isn't at the mercy of the infrastructure pantheon.

For these reasons, the use of devkits makes sense. I welcome thoughts and discussion as we refine the concept, and debate the viability/implementation specifics of this proposal.

Topics to consider/discuss

  1. Are OpenJDK devkits a good "fit" for Adoptium?
  2. Should we be generating our own devkit builds?
  3. Should we become a devkit vendor, allowing others to easily duplicate our build process without having to build their own (if it matters)?
  4. Devkits currently appear to be limited to various Linux architectures. Can/should we pursue creating devkits on non-Linux OS', such as Windows and Mac? (Expansion task, maybe?)

adamfarley avatar Aug 31 '23 15:08 adamfarley

Tagging Zdenek Zambersky

adamfarley avatar Aug 31 '23 15:08 adamfarley

Noting that https://github.com/openjdk/jdk17u/tree/master/make/devkit has non-Linux devkit scripts so it is likely not strictly limited to LInux.

sxa avatar Aug 31 '23 16:08 sxa

Tagging Zdenek Zambersky

I have repo, with specfiles for my experimental devkit packages. (more info and links to some related work in readme) However, I have not yet tried to cross build for different architecture (but rather doing devkit builds on multiple architectures in copr).

zzambers avatar Aug 31 '23 16:08 zzambers

I would not be against this as an option for folks to use, but I have a personal preference for using native toolchains where possible.

karianna avatar Sep 01 '23 02:09 karianna

I would be against this as an option for folks to use, but I have a personal preference for using native toolchains where possible.

I certainly prefer to continue to build natively, but to be clear (since it's not in the original description) the devkit would allow us to build a native compiler version that is a known version which is consistent with other providers building using the devkit. At the moment we use a computer built from the vanilla upstream GCC sources for (non-Alpine) Linux.

While we are separately looking at cross compiling for macos/x64 at the moment, and are already cross-building the Windows/aarch64 evaluation builds I agree that cross compiling on Linux should not be part of this initial proposal. Having said that, we have been cross compiling some of the non-Temyrin RISC-V build so w could switch to a cross-devkit there.

sxa avatar Sep 01 '23 08:09 sxa

@adamfarley @karianna The main purpose we should look at providing temurin-build scripts support for "DevKits", is for reproducible builds. As is highlighted in the openjdk doc: https://openjdk.org/groups/build/doc/building.html :

Notice that devkits are not only useful for targeting different build platforms. Because they contain the full build dependencies for a system (i.e. compiler and root file system), they can easily be used to build well-known, reliable and reproducible build environments.

This will thus enable other users/3rd parties to exactly reproduce Temurin binaries "identically", and thus perform a "trusted validation" reproducible build in their own environment.

andrew-m-leonard avatar Sep 05 '23 14:09 andrew-m-leonard

Updated title to reflect current desire to implement this for reproducible linux builds

andrew-m-leonard avatar Nov 02 '23 10:11 andrew-m-leonard

Creating a jdk21u aarch64 Linux DevKit within Jenkins: issue: https://github.com/adoptium/temurin-build/issues/3519

andrew-m-leonard avatar Nov 02 '23 10:11 andrew-m-leonard

s390x Linux DevKit enablement work: https://github.com/adoptium/temurin-build/issues/3700

andrew-m-leonard avatar Mar 19 '24 09:03 andrew-m-leonard

Completed

andrew-m-leonard avatar Apr 04 '24 15:04 andrew-m-leonard