Date: Sunday, December 19, 2021 @ 18:22:30 Author: anthraxx Revision: 1079077
upgpkg: maven 3.8.4-1: fully bit identical canonical packaging Make our packaged version 100% canonical but built from source by leveraging reproducible builds implications. We use the upstream build number to build our version from source and check the resulting tarball against the official hashes. We literally reproduce the upstream binary dist bit by bit. This has multiple nice side effects, most importantly we can dist a 100% canonical version that is bit by bit the same and therefor supported but still do not require to blindly repackage prebuilt artifacts. Modified: maven/trunk/PKGBUILD ----------+ PKGBUILD | 52 ++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 40 insertions(+), 12 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2021-12-19 18:04:17 UTC (rev 1079076) +++ PKGBUILD 2021-12-19 18:22:30 UTC (rev 1079077) @@ -3,7 +3,7 @@ # Contributor: William Rea <[email protected]> pkgname=maven -pkgver=3.8.3 +pkgver=3.8.4 pkgrel=1 pkgdesc='Java project management and project comprehension tool' url='https://maven.apache.org' @@ -12,8 +12,11 @@ depends=('java-environment>=7' 'bash' 'procps-ng') makedepends=('maven' 'java-environment=8') backup=('opt/maven/conf/settings.xml') -source=(https://www-eu.apache.org/dist/maven/maven-3/${pkgver}/source/apache-maven-${pkgver}-src.tar.gz{,.asc} +source=(https://downloads.apache.org/maven/maven-3/${pkgver}/source/apache-maven-${pkgver}-src.tar.gz{,.asc} + # both bin artifacts are only used for reproducible builds from source + https://downloads.apache.org/maven/maven-3/${pkgver}/binaries/apache-maven-${pkgver}-bin.tar.gz{,.asc,.sha512} maven.sh) +noextract=(apache-maven-${pkgver}-bin.tar.gz) # https://www.apache.org/dist/maven/KEYS validpgpkeys=( '042B29E928995B9DB963C636C7CA19B7B620D787' # StephenConnolly<[email protected]> @@ -22,33 +25,58 @@ 'B02137D875D833D9B23392ECAE5A7FB608A0221C' # Robert Scholte <[email protected]> '6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688' # Michael Osipov (Java developer) <[email protected]> ) -sha256sums=('c58ea18cee78d678af33b4080b083a104ab80919e4bb57468109338e0bbad19f' +sha256sums=('298bfb6172c134655f4f5608342f9c7bc798918ac165b8ded4af800be184ab9b' 'SKIP' + '2cdc9c519427bb20fdc25bef5a9063b790e4abd930e7b14b4e9f4863d6f9f13c' + 'SKIP' + 'e3b1b816da14173abf0141e22ced80239b57fe81889e230529fec02a88dc55c4' '17d9b8efa6a922907110026273443bcc8d83e061e14ac82cb5052b483acc9b76') +_buildnumber() { + # use same build number as the binary dist but prove that our source build is + # identical and therefor canonical in the build() step + bsdtar xOf <(bsdtar xOf "${srcdir}/apache-maven-${pkgver}-bin.tar.gz" apache-maven-${pkgver}/lib/maven-core-${pkgver}.jar) \ + org/apache/maven/messages/build.properties | grep buildNumber | cut -d= -f2 | tr -cd '[:print:]' +} + build() { cd apache-maven-${pkgver} export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}" mvn package \ + -DbuildNumber="$(_buildnumber)" \ + -Dline.separator=$'\r\n' \ + -Dproject.build.sourceEncoding=UTF-8 -e \ -Dmaven.repo.local="${srcdir}/repo" \ - -Dproject.build.sourceEncoding=UTF-8 -e + -DskipTests + + # check reproducible builds result against upstream hashes. This way we can + # prove that our source build is identical and therefor canonical so we are + # technically free to use the static build number in our build env. On top we + # ensure bit by bit identical upstream signed binary dist against our variant + # via diff exiting non-successful on mismatch. + sha512sum -c <(printf "$(cat ${srcdir}/apache-maven-${pkgver}-bin.tar.gz.sha512) apache-maven/target/apache-maven-${pkgver}-bin.tar.gz") + diff "${srcdir}/apache-maven-${pkgver}-bin.tar.gz" apache-maven/target/apache-maven-${pkgver}-bin.tar.gz } +check() { + cd apache-maven-${pkgver} + + export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}" + mvn test \ + -Dmaven.repo.local="${srcdir}/repo" +} + package() { cd apache-maven-${pkgver} install -Dm 755 ../maven.sh -t "${pkgdir}/etc/profile.d" + install -d "${pkgdir}/opt/maven" + bsdtar xf apache-maven/target/apache-maven-${pkgver}-bin.tar.gz \ + --strip-components=1 \ + -C "${pkgdir}/opt/maven" - # skip tests as they were already executed - export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}" - mvn install \ - -Dmaven.repo.local="${srcdir}/repo" \ - -Dproject.build.sourceEncoding=UTF-8 -e \ - -DdistributionTargetDir="${pkgdir}/opt/maven" \ - -DskipTests -Dmaven.test.skip=true - install -d "${pkgdir}/usr/bin" ln -s /opt/maven/bin/mvn "${pkgdir}/usr/bin/mvn" ln -s /opt/maven/bin/mvnDebug "${pkgdir}/usr/bin/mvnDebug"
