after a few years of testing, thinking, procrastination and hard work (thank you Thomas for your talk at Devoxx France 2016 [1]), I think I achieved a key step this week-end toward native Reproducible Builds with Maven [2]: Maven core itself can be built in a reproducible way!
It means that if you build "reproducible" branch of Maven core, you'll get the same apache-maven-3.6.3-SNAPSHOT-bin.zip than me or the ASF CI server [3]. The precise result depends only on 2 key facts: - do you build on Windows or any Unix? This impacts newlines... - what JDK major version do you use to build? This affects generated .class (notice: AFAIK minor JDK version does not have any impact, nor platform) This branch is only a PoC: it uses unreleased packaging plugins that give reproducible results (versions in .RB-SNAPSHOT), and I had to tweak a little bit the build for remaining reproduciblity issues with sisu and plexus plugins. There are many details to decide before releasing these plugins and making every build reproducible by default. But the current steps proves that is is feasible. Interested in joining the effort to bring this feature to releases for end users? Regards, Hervé [1] http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/slides_fr.html [2] https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318 [3] https://builds.apache.org/view/M-R/view/Maven/job/maven-box/job/maven/job/reproducible/ --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
