[maven-site] branch master updated: rebuilding on same env does not prove reproducible build

Tue, 04 Jul 2023 07:36:23 -0700 

This is an automated email from the ASF dual-hosted git repository.

hboutemy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/maven-site.git


The following commit(s) were added to refs/heads/master by this push:
     new 17064442 rebuilding on same env does not prove reproducible build
17064442 is described below

commit 17064442ea6b477058197182f840497b44910b68
Author: HervĂ© Boutemy <[email protected]>
AuthorDate: Tue Jul 4 16:36:14 2023 +0200

    rebuilding on same env does not prove reproducible build
---
 content/apt/guides/mini/guide-reproducible-builds.apt | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/content/apt/guides/mini/guide-reproducible-builds.apt 
b/content/apt/guides/mini/guide-reproducible-builds.apt
index 34e2c5bd..2f058c00 100644
--- a/content/apt/guides/mini/guide-reproducible-builds.apt
+++ b/content/apt/guides/mini/guide-reproducible-builds.apt
@@ -62,7 +62,7 @@ mvn artifact:check-buildplan
 * How to test my Maven build reproducibility?
 
  Using 
{{{/plugins/maven-artifact-plugin/compare-mojo.html}<<<maven-artifact-plugin>>>'s
 <<<compare>>> goal}},
- you can check that the second build of your project produce the same output 
than an initial build:
+ you can easily check that the second build of your project produce the same 
output than an initial build:
 
  [[1]] build and <<<install>>> your project (don't hesitate to customize 
arguments to better match your project):
  
@@ -78,6 +78,9 @@ mvn clean verify artifact:compare
 
  []
 
+ Notice that this does NOT really prove that your build is yet reproducible, 
because your build may still suffer from environment leaks (username, current 
directory, ...). But it is easy to do, and prevents basic non-reproducible 
issues like timestamps.
+ Really checking reproducibility requires to rebuild from a completely 
different setup: this is harder to do, even if containers may ease the task.
+
 * How to fix my Maven build reproducibility?
 
  If something is still not reproducible after initial setup and 
{{{/plugins/maven-artifact-plugin/plugin-issues.html}automatic check from 
<<<artifact:check-buildplan>>>}}:

Reply via email to