Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :
For me this looks more like an issue of the jar plugin and should
probably be handled there, then even though I wonder why the zip
entries need a timestamp for a jar to be reproducible, should it not
be enough to compare the zip-entries and leave the timestamp alone?
The idea of a reproducible build is to create binary exact artifacts
which you can quickly calculate checksum to compare with some
reference build. As the timestamp entry is used in zip/JARs, it
changes the binary representation of a jar as well. So yeah, that's
important.
(note: I'm duplicating here a comment I just made on the PR). I guess
that checksum is not a goal in itself, but the higher level goal is
security (checking that a JAR file has not been compromised)? If yes,
then we do not necessarily need bit for bit reproducibility.
"Semantically reproducible build" or "semantic equivalency" can be as
good or even better, as it does not force us to throw away useful
metadata like the real build time. Microsoft has short discussion about
semantic equivalency there:
https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible
Could the real issue be that we do not have a Maven plugin for making
semantic equivalency check easy? E.g. a plugin that build a project and
automatically compare semantically against the JAR file on Maven Central
or elsewhere?
Martin