Le dimanche 6 octobre 2019, 22:18:59 CEST Emmanuel Bourg a écrit : > Le 06/10/2019 à 20:13, Hervé BOUTEMY a écrit : > > no, it does not add any dependency on developer configuration: > > 2019-10-05T18:37:42Z == 2019-10-05T20:37:42+02:00 == > > 2019-10-05T16:37:42-02:00 > yes but: > > "2019-10-05T18:37:42Z" != "2019-10-05T20:37:42+02:00" != > "2019-10-05T16:37:42-02:00" > > The point is, two developers may generate a different pom if the local > timezone is used. A fixed timezone is necessary to ensure the pom itself > is reproducible. There is a misunderstanding here: the pom.xml is saved in the source control, with the timestamp in it. There is no question of "reproducible pom.xml"
> > > when will this value be written in the pom.xml is independant: currently, > > in my PoC, I wrote the values by hand. In the future, it will probably be > > updated by maven-release-plugin, and we'll have to choose if the > > timestamp is written in Z or if it is written in local timezone with its > > offset: both ways of expressing the timestamp are valid and will give > > reproducible result > The jar generated is reproducible, but not the pom. I suspect that if > the jar includes the pom it'll break its reproducibility too (this is > the default for maven-jar-plugin, but I don't know if it embeds the > original pom without the timestamp, or the generated pom with the > timestamp). > > > once again, war files taken apart for web servers, who looks at timestamp > > in zip files? > > archive timestamps are just the tip of the iceberg. There are more > visible timestamps elsewhere, for example in the javadoc headers, in > .properties files, in OSGi attributes, sometimes in the source files... Sure, many plugins have already been modified to remove such noise in output, and probably others will require to be updated. Because in Reproducible Builds, timestamps to know when something has been generated is less useful: Reproduciblity is the ultimate proof of knowledge of what has been built, since the result will be the same now, tomorrow, in one year... Regards, Hervé > > Emmanuel Bourg > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
