[ https://issues.apache.org/jira/browse/MJAR-275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748591#comment-17748591 ]
Jorge Solórzano commented on MJAR-275: -------------------------------------- Please note that the fix done in [https://bugs.openjdk.org/browse/JDK-8258117] in the JDK 18 only partially fixes the problem, from my findings, JDK 18 does fix the {{module-info.class}} timestamp, BUT if the {{Main-Class}} attribute is set, then the {{MANIFEST.MF}} is updated without preserving the timestamp. In other words, this fix does not work correctly as it breaks reproducible build anyway in that scenario, this fix is NOT used in Maven as is not reliable. The ACTUAL fix done in Maven uses a new feature implemented in JDK 19+ and backported to JDK 18.0.1+ and JDK 17.0.3+, the issue for that feature is this one: [https://bugs.openjdk.org/browse/JDK-8277755] , it basically leverage a feature to pass the --date parameter to the jar tool, plexus-archiver has detection if this feature exists, so it works the same in JDK 17.0.2 (which doesn't have the feature) and JDK 17.0.3+, and at the same time works with previous versions even JDK 9. The inclusion of JDK patch version information is another topic that should be tackled, and yes, we should open a JDK issue for it, yet a fix for this could take a while and there is no real hope to get a backport for it in earlier versions of the JDK, so yes, we could provide a workaround here too, and I was hoping to work on this, but due to lack of time I wasn't able to check this, maybe someone could step up and work on this... my guess is that we should do some byte-code manipulation to remove the patch version on the post-processing phase, it might require using {*}_ASM_{*}, Byte Buddy or whatever to manipulate the _module-info.class_ and remove that field leaving it like if the compilation was done with a newer JDK version. Maybe someone from the ModiTect team could help us here. As of today, the workaround remains to use a newer JDK version to compile the project using the --release. Also, please note that this should be a new Jira issue, the timestamp is fixed in Maven, but the JDK patch version is not, both affect reproducible builds, but at the same time are not related to each other, so I propose to track the Patch version in another ticket and create a link that is related to this one. > outputTimestamp not applied to module-info; breaks reproducible builds > ---------------------------------------------------------------------- > > Key: MJAR-275 > URL: https://issues.apache.org/jira/browse/MJAR-275 > Project: Maven JAR Plugin > Issue Type: Bug > Affects Versions: 3.2.0 > Environment: Mac OS X 10.14.6 > JDK 15 (build 15+36) > JDK 11 (build 11.0.8+10) > Reporter: Anand Beh > Assignee: Slawomir Jaranowski > Priority: Minor > Fix For: 3.3.0 > > Attachments: MCOMPILER-439.zip, Screenshot 2020-10-25 at 2.35.59 > PM.png > > > Setting {{project.build.outputTimestamp}} to a fixed value allows creating > reproducible builds per this guide: > [https://maven.apache.org/guides/mini/guide-reproducible-builds.html > |https://maven.apache.org/guides/mini/guide-reproducible-builds.html]However, > if one adds a module-info file to the project, reproducible builds break. > This is caused by module-info.class using the latest timestamp and not > {{project.build.outputTimestamp}}. I was able to identify the problem using > diffoscope: [https://diffoscope.org/.|https://diffoscope.org/] With it I > determined the timestamp across 2 builds was constant for all but the > module-info.class: > > {code:java} > -rw---- 2.0 fat 862 bl defN 20-Oct-17 00:40 > space/arim/libertybans/api/select/SelectionOrder.class > │ -rw---- 2.0 fat 1113 bl defN 20-Oct-17 00:40 > space/arim/libertybans/api/select/SelectionOrderBuilder.class > │ -rw---- 2.0 fat 2285 bl defN 20-Oct-17 00:40 > META-INF/maven/space.arim.libertybans/bans-api/pom.xml > │ -rw---- 2.0 fat 74 bl defN 20-Oct-17 00:40 > META-INF/maven/space.arim.libertybans/bans-api/pom.properties > │ --rw---- 2.0 fat 557 bl defN 20-Oct-25 12:39 module-info.class > │ +-rw---- 2.0 fat 557 bl defN 20-Oct-25 12:41 module-info.class > {code} > > Note the + and - which are diffoscope's way of indicating the difference > between the .jar files. Here the {{project.build.outputTimestamp}} is on 17 > October. As shown, module-info has a "rebellious" timestamp. > > *EDIT:* > Example project to reproduce the bug: > [https://github.com/A248/MJAR-275|https://github.com/A248/MCOMPILER-439] > (Renamed from [https://github.com/A248/MCOMPILER-439]) > Source code is also provided as an attachment below -- This message was sent by Atlassian Jira (v8.20.10#820010)