Hi Everyone, As part of being given permission to publish a release under the ASF, we have to meet the requirements of the ASF for publishing builds. During our security audit, the following was noted:
----- BEGIN QUOTE ------ One thing that I didn't see explicitly called out is 'how' to review/verify the signed artifacts. As you may have seen in the release policy, releases must be verified on 'trusted' hardware ( https://www.apache.org/legal/release-policy.html#owned-controlled-hardware). The GHA builders don't count as 'trusted' on their own. In practice, *this means that as part of the vote/review phase, any artifacts that are signed with ASF key material must be independently built from source and verified to match the artifacts produced by the GHA builder *( https://infra.apache.org/release-signing.html#automated-release-signing). AFAIK Gradle is generally fairly mature when it comes to making bit-by-bit reproducible artifacts, but this might require setting some options (such as https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives) and checking for remaining sources of nondeterminism in your build - there may be some surprises in there. ----- END QUOTE ------ I've spent today looking at the reproducibility of our builds. I've made initial changes under this PR: https://github.com/apache/grails-core/pull/14670 I've added a summary of the changes to the PR itself. Please take a moment to review and express any concerns. The problem in our case is the AST transforms we're using cause the compiled class files to be non-determinant and thus cannot be verified. The following artifacts are affected by Grails transforms and prevent reproducible builds: grails-cache/build/libs/grails-cache-7.0.0-SNAPSHOT.jar grails-controllers/build/libs/grails-controllers-7.0.0-SNAPSHOT.jar grails-converters/build/libs/grails-converters-7.0.0-SNAPSHOT.jar grails-core/build/libs/grails-core-7.0.0-SNAPSHOT-javadoc.jar grails-data-hibernate5/core/build/libs/grails-data-hibernate5-core-7.0.0-SNAPSHOT-javadoc.jar grails-data-hibernate5/dbmigration/build/libs/grails-data-hibernate5-dbmigration-7.0.0-SNAPSHOT.jar grails-data-hibernate5/grails-plugin/build/libs/grails-data-hibernate5-7.0.0-SNAPSHOT.jar grails-datamapping-core/build/libs/grails-datamapping-core-7.0.0-SNAPSHOT-javadoc.jar grails-datamapping-support/build/libs/grails-datamapping-support-7.0.0-SNAPSHOT.jar grails-datamapping-tck-base/build/libs/grails-datamapping-tck-base-7.0.0-SNAPSHOT-javadoc.jar grails-datamapping-tck-domains/build/libs/grails-datamapping-tck-domains-7.0.0-SNAPSHOT.jar grails-datamapping-tck-tests/build/libs/grails-datamapping-tck-tests-7.0.0-SNAPSHOT-javadoc.jar grails-datamapping-tck-tests/build/libs/grails-datamapping-tck-tests-7.0.0-SNAPSHOT.jar grails-datastore-core/build/libs/grails-datastore-core-7.0.0-SNAPSHOT-javadoc.jar grails-domain-class/build/libs/grails-domain-class-7.0.0-SNAPSHOT.jar grails-fields/build/libs/grails-fields-7.0.0-SNAPSHOT.jar grails-gsp/core/build/libs/grails-gsp-core-7.0.0-SNAPSHOT-javadoc.jar grails-gsp/grails-sitemesh3/build/libs/grails-sitemesh3-7.0.0-SNAPSHOT.jar grails-gsp/grails-taglib/build/libs/grails-taglib-7.0.0-SNAPSHOT-javadoc.jar grails-gsp/grails-web-gsp-taglib/build/libs/grails-web-gsp-taglib-7.0.0-SNAPSHOT.jar grails-gsp/grails-web-gsp/build/libs/grails-web-gsp-7.0.0-SNAPSHOT-javadoc.jar grails-gsp/plugin/build/libs/grails-gsp-7.0.0-SNAPSHOT.jar grails-interceptors/build/libs/grails-interceptors-7.0.0-SNAPSHOT.jar grails-rest-transforms/build/libs/grails-rest-transforms-7.0.0-SNAPSHOT.jar grails-scaffolding/build/libs/grails-scaffolding-7.0.0-SNAPSHOT.jar grails-shell-cli/build/libs/grails-shell-cli-7.0.0-SNAPSHOT-javadoc.jar grails-shell-cli/build/libs/grails-shell-cli-7.0.0-SNAPSHOT.jar grails-views-core/build/libs/grails-views-core-7.0.0-SNAPSHOT-javadoc.jar grails-views-gson/build/libs/grails-views-gson-7.0.0-SNAPSHOT.jar grails-views-markup/build/libs/grails-views-markup-7.0.0-SNAPSHOT-javadoc.jar grails-views-markup/build/libs/grails-views-markup-7.0.0-SNAPSHOT.jar grails-web-common/build/libs/grails-web-common-7.0.0-SNAPSHOT-javadoc.jar grails-web-databinding/build/libs/grails-web-databinding-7.0.0-SNAPSHOT.jar grails-web-url-mappings/build/libs/grails-web-url-mappings-7.0.0-SNAPSHOT-javadoc.jar grails-web-url-mappings/build/libs/grails-web-url-mappings-7.0.0-SNAPSHOT.jar I investigated the `@Entity` annotation which uses the EntityASTTransformation in the `grails-datamapping-tck-domains` project as a start. It is what injects other traits (like GormValidateable). The resulting class file is different every build. Doing a hex comparison on the file shows sometimes simple method ordering issues. Testing traits in isolation with Groovy 4 does not have the same behavior. I'm planning to continue researching this, but if anyone has experience with the AST transforms or the ordering problem, it would be helpful to solve this. This is probably the largest blocker to us proceeding with an ASF release. If we can't get this working, we'll be forced to build Grails locally for any published release. -James
