Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :

For me this looks more like an issue of the jar plugin and should probably be handled there, then even though I wonder why the zip entries need a timestamp for a jar to be reproducible, should it not be enough to compare the zip-entries and leave the timestamp alone?

The idea of a reproducible build is to create binary exact artifacts which you can quickly calculate checksum to compare with some reference build. As the timestamp entry is used in zip/JARs, it changes the binary representation of a jar as well. So yeah, that's important.

(note: I'm duplicating here a comment I just made on the PR). I guess that checksum is not a goal in itself, but the higher level goal is security (checking that a JAR file has not been compromised)? If yes, then we do not necessarily need bit for bit reproducibility. "Semantically reproducible build" or "semantic equivalency" can be as good or even better, as it does not force us to throw away useful metadata like the real build time. Microsoft has short discussion about semantic equivalency there:

   https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible

Could the real issue be that we do not have a Maven plugin for making semantic equivalency check easy? E.g. a plugin that build a project and automatically compare semantically against the JAR file on Maven Central or elsewhere?

    Martin

Reply via email to