Tycho has a BuildTimestampProvider [1] that with implementation of
several flavors:
- maven build timestamp (default)
- fixed timestamps
- jgit
- inherit from parent
- ...
So if maven would offer something similar a build extension can be used
to implement any strategy but still be there some default choices in
maven directly.
[1]
https://github.com/eclipse-tycho/tycho/blob/main/tycho-spi/src/main/java/org/eclipse/tycho/build/BuildTimestampProvider.java
Am 01.04.24 um 20:25 schrieb Romain Manni-Bucau:
Hi all,
We've got a lot of work around reproducible builds - whatever we think
about it since there are good reasons to say it is pointless and some to
say it is useful so I don't want to enter into the debate - but the notion
is 100% hosted in plugins today.
It has a few pitfalls for me:
1. plugins assume the (output) timestamp is static for a build and rebuild
2. projects often need a build timestamp related to last modifications
(frontends, jar.lastModifiedTime usage, ...)
Both statements don't go well with a hardcoded value - manually
maintained....so not maintained and broken IRL.
A workaround used by some projects is to wire the git last commit time - or
equivalent - to this value but then a plugin injects the value which means
another plugin can read another value or no value and corrupt the
reproducibility of the build.
Related to that, the work around the PR #30 on maven-artifact-plugin shows
that if using a dynamic value the artifact plugin fails or at least emits a
warning - which is not acceptable for a valid case IMHO.
Originally I just thought about relaxing this warning but Hervé thinks it
is wrong and due to the limitations mentionned earlier I think he is right
too but this means we can't let a plugin handle the "output timestamp" so I
wonder if we should move it to the new maven 4 service layer.
The only difficulty is to let it have some pluggability, default would be a
hardcoded value in properties but we should be able to use git last commit
time - likely reading pack without jgit dependency - or another strategy
potentially (ideally, as pointed out by Hervé, a different value per module
would be highly relevant and could need some configuration, the common
example being: "use the last modified time from git of files in src", ie
ignore pom modifications since it does not end in the output for example).
So my question is the following one: do we add output timestamp to maven 4
API and let maven 3 like that or do we consider reproducible builds are not
a key thing for maven and we let it in plugins (~=outside and artifact
plugin is considered not a core plugin - not sure of the status today)?
I'm happy both ways but I'm way less happy with a broken setup if we
consider it is supported by maven.
Romain Manni-Bucau
@rmannibucau <https://twitter.com/rmannibucau> | Blog
<https://rmannibucau.metawerx.net/> | Old Blog
<http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> |
LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book
<https://www.packtpub.com/application-development/java-ee-8-high-performance>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org
