[
https://issues.apache.org/jira/browse/TIKA-4591?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18048935#comment-18048935
]
Hervé Boutemy commented on TIKA-4591:
-------------------------------------
FYI, one third party (Reproducible Central) is rebuilding for some time (with
its own recipe guessed) and here are the results for past releases:
https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/tika/README.md
is "tika-server" part of what is already rebuilt? or is it a different scope?
> Implement Reproducible Builds for tika-server
> ---------------------------------------------
>
> Key: TIKA-4591
> URL: https://issues.apache.org/jira/browse/TIKA-4591
> Project: Tika
> Issue Type: Sub-task
> Reporter: Nicholas DiPiazza
> Priority: Major
> Labels: build, reproducible-builds, security, tika-server
>
> h2. Objective
> Implement reproducible builds for the tika-server module to ensure
> bit-for-bit identical outputs across different build environments.
> h2. Tasks
> * Configure Maven properties for reproducible builds in tika-server/pom.xml
> * Set project.build.outputTimestamp property
> * Configure maven-jar-plugin for reproducible archive creation
> * Configure maven-source-plugin for reproducible source archives
> * Configure maven-assembly-plugin if used for distribution packaging
> h2. Verification
> * Build tika-server multiple times and verify checksums match
> * Build on different machines/environments and verify reproducibility
> * Generate and verify .buildinfo file
> * Document verification steps
> h2. Acceptance Criteria
> # tika-server JAR builds are reproducible
> # Source archives are reproducible
> # All timestamps are normalized
> # buildinfo file is generated and validates successfully
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
