Not sure if someone already mentioned or acknowledged that, but let's give a look at this:
http://zlika.github.io/presentations/devoxx_fr_2016/reproducible-builds/slides_en.html Victor Williams Stafusa da Silva 2017-11-09 16:30 GMT-02:00 Antonio <[email protected]>: > El 09/11/17 a las 13:36, Emilian Bold escribió: > >> Every built of a jar will produce a different sha, so you're assessment >>>> is correct. >>>> >>> >> > Mmm.... that would depend on how you checksum the jar file. I imagine that > we could checksum all the contents of the jar file _except_ for specific > lines in the META-INF/MANIFEST.MF file (those talking about build times and > jdk versions). The rest of the file should produce the same checksum (being > compiled with the same JDK). Let's call this the "Java Checksum", right?. > > Computing the "Java Checksum" will, of course, be costly performance-wise, > I think. > > So we could have a secondary, optional, "Java Checksum" for binaries. If > the first usual SHA-1 checksum (quick to compute) fails then a "Java > Checksum" would be used instead. > > Cheers, > Antonio > > P.S.: Another option would be to prune those lines that get modified in > each build in the MANIFEST.MF file after creating the jar file. > > > Another reason NetBeans builds should be reproducible. >> >> Rather amazed Apache does not have a foundation-wide move like Debian's >> https://wiki.debian.org/ReproducibleBuilds >> >> --emi >> >>
