El 09/11/17 a las 13:36, Emilian Bold escribió:
Every built of a jar will produce a different sha, so you're assessment
is correct.
Mmm.... that would depend on how you checksum the jar file. I imagine
that we could checksum all the contents of the jar file _except_ for
specific lines in the META-INF/MANIFEST.MF file (those talking about
build times and jdk versions). The rest of the file should produce the
same checksum (being compiled with the same JDK). Let's call this the
"Java Checksum", right?.
Computing the "Java Checksum" will, of course, be costly
performance-wise, I think.
So we could have a secondary, optional, "Java Checksum" for binaries. If
the first usual SHA-1 checksum (quick to compute) fails then a "Java
Checksum" would be used instead.
Cheers,
Antonio
P.S.: Another option would be to prune those lines that get modified in
each build in the MANIFEST.MF file after creating the jar file.
Another reason NetBeans builds should be reproducible.
Rather amazed Apache does not have a foundation-wide move like Debian's
https://wiki.debian.org/ReproducibleBuilds
--emi
