jjwt icon indicating copy to clipboard operation
jjwt copied to clipboard
verified publisher icon jwtk

Updating build to be reproducible

Open bdemers opened this issue 2 years ago • 7 comments

Multiple builds (without changes) will produce the same output (e.g. the hash of the jars will be identical)

[!NOTE] This can be tested by running:

mvn clean install && mvn clean verify artifact:compare

bdemers avatar Mar 23 '23 17:03 bdemers

@bdemers do you want to try this again given all that stuff has been merged to master? If not, please close. 😄

lhazlewood avatar Sep 16 '23 22:09 lhazlewood

We might want to add a CI check in here 🤔 Running the build twice for the full (non-7) matrix is probably overkill...

Maybe pick a version, like the min supported reproducible version, (zulu-8)? and add another job? What do you think?

bdemers avatar Feb 07 '24 22:02 bdemers

We might want to add a CI check in here 🤔 Running the build twice for the full (non-7) matrix is probably overkill...

Maybe pick a version, like the min supported reproducible version, (zulu-8)? and add another job? What do you think?

What do you mean run it twice? I'm not following 😅

lhazlewood avatar Feb 08 '24 00:02 lhazlewood

What do you mean run it twice? I'm not following 😅

Sorry about that! To check of a project/build reproducible, the build is run twice and the output compared,

Basically this:

mvn clean install && mvn clean verify artifact:compare

This would double the run time, which I don't think is worth doing. We could run the above against a single target (potentially even skipping tests, to speed things up), I'm not sure we should worry about this at all in CI right now. It's something we could check periodically or at release time.

@hboutemy do you have any thoughts/recommendations for projects on how to validate reproducibility via CI?

bdemers avatar Feb 08 '24 18:02 bdemers

@bdemers why do you need to run the tests twice? Isn't the goal to ensure that the artifacts are identical? So you just need to run package and skip the tests entirely?

lhazlewood avatar Feb 08 '24 18:02 lhazlewood

do you have any thoughts/recommendations for projects on how to validate reproducibility via CI?

I recommend NOT trying to validate reproduciblity via CI: there is no reason reproduciblity will change from commit to commit

checking reproducibility by hand is sufficient, and even necessary because 2 builds on the same environment may give the same result, but not on 2 different environments (for example if the current directory is put in the output)

then real checking requires ore than just normal CI

hboutemy avatar Feb 08 '24 20:02 hboutemy

I recommend NOT trying to validate reproduciblity via CI: there is no reason reproduciblity will change from commit to commit

checking reproducibility by hand is sufficient, and even necessary because 2 builds on the same environment may give the same result, but not on 2 different environments (for example if the current directory is put in the output)

then real checking requires ore than just normal CI

Thanks @hboutemy, great points!

bdemers avatar Feb 08 '24 21:02 bdemers