Hi Craig,
yes, I think generally (e.g. C++) reproducible builds are good and can
be quite useful. With Java, it's a bit more limited, I assume the main
problems are the JDK version, dependencies (e.g. .pom with version
ranges) and the build platform (Windows line breaks, JNI dependencies,
...); after all, in Java we deliver a .jar file, not a binary.
--> I am all in favor of having reproducible builds.
What I do not understand at the moment is the benefit of:
|mvn clean install mvn clean package artifact:compare|
It compares a local build with another local build, so it's avoiding all
the things that could possibly fail (JDK, dependencies, platform), at
least as far as I can tell. How can this ever fail? In what way does
this check for build reproducibility?
I'm sure I a missing something here...
Regards,
Til
a nice to have.
On 12/02/2022 02:17, Craig Russell wrote:
Hi Til,
I had a brief look at the internets and found some interesting commentary on
the subject.https://reproducible-builds.org/docs/deterministic-build-systems/
I didn't spend much time, but there are a few things that I took away from
that. I think that Java makes it easier because given any machine supporting
Java (specific version) will produce reproducible results if some rules are
followed. This is not the case for other compilers that actually might produce
different results on different machines.
Anyway, I still think it's good to verify reproducible results in our project.
Regards,
Craig
On Feb 11, 2022, at 5:15 AM, Tilmann<tilmann_...@gmx.de> wrote:
The plugin compare the artifacts in the maven repository with the
ones in the target directory by creating buildinfos for the artifacts
and comparing them.
So the process compares two builds that have been built locally on the
same machine. I don't think I understand how this is meant to work (I
had a look at
https://maven.apache.org/plugins/maven-artifact-plugin/index.html but no
luck):
- If I build both version locally, why they would ever differ?
- Is there a way to use this process to detect any problems caused by
building on different machines/environment (because it is always run on
the same machine)? It seems like one has to copy builds from another
machine or at least set-up a private repository that can be accessed by
multiple machines...?
Til
On 10/02/2022 22:33, Michael Bouschen wrote:
Hi,
our JDO build is now reproducible, I just have to follow the
instructions given by hboutemy.
First I call 'mvn clean install' which builds all the artifacts and
stores them in the local maven repository.
Then I call 'mvn clean package artifact:compare' which build the
artifacts again, but only in the target directory.
The plugin compare the artifacts in the maven repository with the ones
in the target directory by creating buildinfos for the artifacts and
comparing them.
This process also works for SNAPSHOT versions.
Regards Michael
Craig L Russell
c...@apache.org
