[
https://issues.apache.org/jira/browse/MJAR-275?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17748591#comment-17748591
]
Jorge Solórzano commented on MJAR-275:
--------------------------------------
Please note that the fix done in [https://bugs.openjdk.org/browse/JDK-8258117]
in the JDK 18 only partially fixes the problem, from my findings, JDK 18 does
fix the {{module-info.class}} timestamp, BUT if the {{Main-Class}} attribute is
set, then the {{MANIFEST.MF}} is updated without preserving the timestamp. In
other words, this fix does not work correctly as it breaks reproducible build
anyway in that scenario, this fix is NOT used in Maven as is not reliable.
The ACTUAL fix done in Maven uses a new feature implemented in JDK 19+ and
backported to JDK 18.0.1+ and JDK 17.0.3+, the issue for that feature is this
one: [https://bugs.openjdk.org/browse/JDK-8277755] , it basically leverage a
feature to pass the --date parameter to the jar tool, plexus-archiver has
detection if this feature exists, so it works the same in JDK 17.0.2 (which
doesn't have the feature) and JDK 17.0.3+, and at the same time works with
previous versions even JDK 9.
The inclusion of JDK patch version information is another topic that should be
tackled, and yes, we should open a JDK issue for it, yet a fix for this could
take a while and there is no real hope to get a backport for it in earlier
versions of the JDK, so yes, we could provide a workaround here too, and I was
hoping to work on this, but due to lack of time I wasn't able to check this,
maybe someone could step up and work on this... my guess is that we should do
some byte-code manipulation to remove the patch version on the post-processing
phase, it might require using {*}_ASM_{*}, Byte Buddy or whatever to manipulate
the _module-info.class_ and remove that field leaving it like if the
compilation was done with a newer JDK version. Maybe someone from the ModiTect
team could help us here.
As of today, the workaround remains to use a newer JDK version to compile the
project using the --release.
Also, please note that this should be a new Jira issue, the timestamp is fixed
in Maven, but the JDK patch version is not, both affect reproducible builds,
but at the same time are not related to each other, so I propose to track the
Patch version in another ticket and create a link that is related to this one.
> outputTimestamp not applied to module-info; breaks reproducible builds
> ----------------------------------------------------------------------
>
> Key: MJAR-275
> URL: https://issues.apache.org/jira/browse/MJAR-275
> Project: Maven JAR Plugin
> Issue Type: Bug
> Affects Versions: 3.2.0
> Environment: Mac OS X 10.14.6
> JDK 15 (build 15+36)
> JDK 11 (build 11.0.8+10)
> Reporter: Anand Beh
> Assignee: Slawomir Jaranowski
> Priority: Minor
> Fix For: 3.3.0
>
> Attachments: MCOMPILER-439.zip, Screenshot 2020-10-25 at 2.35.59
> PM.png
>
>
> Setting {{project.build.outputTimestamp}} to a fixed value allows creating
> reproducible builds per this guide:
> [https://maven.apache.org/guides/mini/guide-reproducible-builds.html
> |https://maven.apache.org/guides/mini/guide-reproducible-builds.html]However,
> if one adds a module-info file to the project, reproducible builds break.
> This is caused by module-info.class using the latest timestamp and not
> {{project.build.outputTimestamp}}. I was able to identify the problem using
> diffoscope: [https://diffoscope.org/.|https://diffoscope.org/] With it I
> determined the timestamp across 2 builds was constant for all but the
> module-info.class:
>
> {code:java}
> -rw---- 2.0 fat 862 bl defN 20-Oct-17 00:40
> space/arim/libertybans/api/select/SelectionOrder.class
> │ -rw---- 2.0 fat 1113 bl defN 20-Oct-17 00:40
> space/arim/libertybans/api/select/SelectionOrderBuilder.class
> │ -rw---- 2.0 fat 2285 bl defN 20-Oct-17 00:40
> META-INF/maven/space.arim.libertybans/bans-api/pom.xml
> │ -rw---- 2.0 fat 74 bl defN 20-Oct-17 00:40
> META-INF/maven/space.arim.libertybans/bans-api/pom.properties
> │ --rw---- 2.0 fat 557 bl defN 20-Oct-25 12:39 module-info.class
> │ +-rw---- 2.0 fat 557 bl defN 20-Oct-25 12:41 module-info.class
> {code}
>
> Note the + and - which are diffoscope's way of indicating the difference
> between the .jar files. Here the {{project.build.outputTimestamp}} is on 17
> October. As shown, module-info has a "rebellious" timestamp.
>
> *EDIT:*
> Example project to reproduce the bug:
> [https://github.com/A248/MJAR-275|https://github.com/A248/MCOMPILER-439]
> (Renamed from [https://github.com/A248/MCOMPILER-439])
> Source code is also provided as an attachment below
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
