On Wed, 9 Mar 2022 07:58:51 GMT, Thomas Stuefe <stu...@openjdk.org> wrote:
>> Ioi Lam has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Fixed zero build > > Hi Ioi, > > some questions, comments inline. > > Like David in the comments, I am also a bit vague on the usefulness, but I > may not know the whole story. Is it to enable repackagers like Debian to > check the "reproducable" tickbox on their OpenJDK package? Or is there a > practical need for this? > > Thanks, Thomas @tstuefe Without commenting on Ioi's actual implementation, let me explain a bit on the importance of this fix. Reproducible builds is not just a "checkbox", any more than "does not crash on startup" is a checkbox. It is an important security tool. See e.g. https://reproducible-builds.org/ for more information. The problem with CDS generating non-deterministic output is that during the build process we generate the file classes.jsa (and classes_nocoops.jsa). These files in turn are included in the java.base jmod, which in turn is included in the entire jlinked image. So if classes.jsa gets random bits, these random bits propagate to java.base.jmod and finally, to the entire jimage. This means that it is imposslbe to get bit-by-bit reproducibility verification of the entire JDK build. For several years, we have relentlessly (albeit with an unfortunately low priority) addressed and fixed indeterminism in the build of the JDK. We are now at the point were the only major issue is the randomness of classes.jsa and classes_nocoops.jsa. ------------- PR: https://git.openjdk.java.net/jdk/pull/7748
