Author: centic
Date: Mon Jul 15 06:03:23 2024
New Revision: 1919240
URL: http://svn.apache.org/viewvc?rev=1919240&view=rev
Log:
Add some changelog and describe support for reproducible builds and output files
Modified:
poi/site/publish/changes.html
poi/site/publish/help/faq.html
poi/site/src/documentation/content/xdocs/changes.xml
poi/site/src/documentation/content/xdocs/help/faq.xml
Modified: poi/site/publish/changes.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/changes.html?rev=1919240&r1=1919239&r2=1919240&view=diff
==============================================================================
--- poi/site/publish/changes.html (original)
+++ poi/site/publish/changes.html Mon Jul 15 06:03:23 2024
@@ -227,6 +227,10 @@ document.write("Last Published: " + docu
<h3 class="boxed">Summary</h3>
<ul>
+<li>Add support for SOURCE_DATE_EPOCH to allow to create reproducible binary
files without creation/modification-timestamp being set</li>
+
+<li>Breaking change: Some invalid content in the compressed file-formats for
xlsx/docx/pptx/... now fail parsing to prevent handling malicious input
incorrectly</li>
+
<li>Upgrade saxon dependency to 12.5</li>
</ul>
Modified: poi/site/publish/help/faq.html
URL:
http://svn.apache.org/viewvc/poi/site/publish/help/faq.html?rev=1919240&r1=1919239&r2=1919240&view=diff
==============================================================================
--- poi/site/publish/help/faq.html (original)
+++ poi/site/publish/help/faq.html Mon Jul 15 06:03:23 2024
@@ -839,6 +839,33 @@ and
</ul>
</div>
+<a name="faq-reproducible-build-and-output"></a>
+<h2 class="boxed">28.
+ Does Apache POI support building reproducibly and/or producing
reproducible output?
+ </h2>
+<div class="section">
+<p>There are two angles to reproducibility: building reproducible jars for
Apache POI itself and making Apache POI
+ produce byte-for-byte identical files when it is used to create
documents.
+ </p>
+<ul>
+
+<li>The build of jars for Apache POI should be reproducible since version
5.2.4 by removing the build-timestamp
+ from the generated Version.java. Make sure the exact same
combination of build-tools is used,
+ especially the version of the JDK.</li>
+
+<li>Producing reproducible output files will be supported in the future (after
version 5.3.0), initial support is available in
+ nightly builds.<br>
+ Note: Files are only written without timestamps if the
environment variable SOURCE_DATE_EPOCH is set to a
+ non-empty value.</li>
+
+</ul>
+<p>Please create a bug entry if you find things which break reproducibility,
both for building and output files.<br>
+ Please provide exact steps how to reproduce your issue!
+ </p>
+<p>See <a
href="https://reproducible-builds.org/";>https://reproducible-builds.org/</a>
for general information about why reproducible builds
+ and output may be important.
+ </p>
+</div>
</div>
<!--+
|end content
Modified: poi/site/src/documentation/content/xdocs/changes.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/changes.xml?rev=1919240&r1=1919239&r2=1919240&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/changes.xml (original)
+++ poi/site/src/documentation/content/xdocs/changes.xml Mon Jul 15 06:03:23
2024
@@ -72,6 +72,8 @@
<release version="5.3.1" date="2024-??">
<summary>
+ <summary-item>Add support for SOURCE_DATE_EPOCH to allow to create
reproducible binary files without creation/modification-timestamp being
set</summary-item>
+ <summary-item>Breaking change: Some invalid content in the
compressed file-formats for xlsx/docx/pptx/... now fail parsing to prevent
handling malicious input incorrectly</summary-item>
<summary-item>Upgrade saxon dependency to 12.5</summary-item>
</summary>
<actions>
Modified: poi/site/src/documentation/content/xdocs/help/faq.xml
URL:
http://svn.apache.org/viewvc/poi/site/src/documentation/content/xdocs/help/faq.xml?rev=1919240&r1=1919239&r2=1919240&view=diff
==============================================================================
--- poi/site/src/documentation/content/xdocs/help/faq.xml (original)
+++ poi/site/src/documentation/content/xdocs/help/faq.xml Mon Jul 15 06:03:23
2024
@@ -714,4 +714,29 @@ and
</ul>
</answer>
</faq>
+ <faq id="faq-reproducible-build-and-output">
+ <question>
+ Does Apache POI support building reproducibly and/or producing
reproducible output?
+ </question>
+ <answer>
+ <p>There are two angles to reproducibility: building reproducible
jars for Apache POI itself and making Apache POI
+ produce byte-for-byte identical files when it is used to create
documents.
+ </p>
+ <ul>
+ <li>The build of jars for Apache POI should be reproducible since
version 5.2.4 by removing the build-timestamp
+ from the generated Version.java. Make sure the exact same
combination of build-tools is used,
+ especially the version of the JDK.</li>
+ <li>Producing reproducible output files will be supported in the
future (after version 5.3.0), initial support is available in
+ nightly builds.<br/>
+ Note: Files are only written without timestamps if the
environment variable SOURCE_DATE_EPOCH is set to a
+ non-empty value.</li>
+ </ul>
+ <p>Please create a bug entry if you find things which break
reproducibility, both for building and output files.<br/>
+ Please provide exact steps how to reproduce your issue!
+ </p>
+ <p>See <a
href="https://reproducible-builds.org/";>https://reproducible-builds.org/</a>
for general information about why reproducible builds
+ and output may be important.
+ </p>
+ </answer>
+ </faq>
</faqs>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
