Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Herve Boutemy
SOURCE_DATE_EPOCH is perfect for Linux distributions, that do their own 
distro-specific packages (.rpm, .deb, .apk, ...) from the upstream project by 
adding some patches and some packaging instructions
=> having a general way to inject its own choice of timestamp through a 
standardized environment variable is perfect (for any language or build tool)

here, we are at upstream project level focusing on the JVM and Maven, trying to 
avoid the Java developer to have to run anything additional when he builds his 
project, and even less when he's a release manager doing the official release 
(with maven-release-plugin or other automation approach)

That's why Maven-way to inject a predictable timestamp is not by adding (by 
hand or expecting a shell script) an environment variable before running mvn, 
but getting the value calculated inside mvn invocation

but Reproducible Builds principles remain the same: a predictible timestamp is 
absolutely necessary to have reproducible timestamp entries in archives (based 
on tar & zip in general)

Regards,

Hervé

On 2024/09/25 18:50:08 John Neffenger wrote:
> A follow-up message for those not familiar with the SOURCE_DATE_EPOCH 
> environment variable ...
> 
> On 9/25/24 9:22 AM, John Neffenger wrote:
> > That makes sense, but in general, I always set the date like this:
> > 
> >    SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
> >    export SOURCE_DATE_EPOCH
> > 
> > I pass that to Maven with:
> > 
> >    
> >      ${env.SOURCE_DATE_EPOCH}
> >    
> 
> The page below describes the variable, including a link to its 
> specification:
> 
> SOURCE_DATE_EPOCH
> https://reproducible-builds.org/docs/source-date-epoch/
> 
> The following page gives more background information:
> 
> ReproducibleBuilds/StandardEnvironmentVariables
> https://wiki.debian.org/ReproducibleBuilds/StandardEnvironmentVariables
> 
> John
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
> 
> 

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Herve Boutemy
> So just to be clear, what is the really the end goal of enabling it by
> default? I know the advantages and benefits, but what would be the goal of
> having this opt-out instead of having it opt-in?

if you just build without adding any configuration nor any special (or old) 
plugin, you'll get Reproducible Builds for free = something that I expect to 
happen for many projects: no need to do anything

non-reproducible builds will be caused by some specific plugins (that we'll fix 
over time as we did until now), or additional config that breaks RB that was 
there before config

this is what good defaults are about

Regards,

Hervé


On 2024/09/25 14:23:52 Jorge Solórzano wrote:
> There are some solutions/alternatives here:
> 
> 1) Fixed value by default.
> 2) Warning to the user for having reproducible builds off.
> 3) Use the SCM last commit date.
> 
> I have worked a tiny bit for the Reproducible Builds effort so here is my 2
> cents:
> 
> * Using the SCM last commit date is a bad choice, not everyone will use SCM
> or the source code could be downloaded without scm information (eg.: Source
> Code download links from GitHub), so this is a -1 for me.
> * Throw a warning to the user to force the set of the project.build
> .outputTimestamp value is also a -1 for me, this reminds me of the project.
> build.sourceEncoding that was changed in Maven 4 to UTF-8 by default, and
> having that default value is the correct way to proceed instead of an ugly
> warning.
> * This leaves us with the fixed value by default, the current value (in the
> PR) is 2001-01-01T00:00:00Z this is a good approach, but my personal
> preference is to set it to 1980-01-01T00:00:02Z, the minimal date allowed.
> 
> There should be a way to opt out of this and get the previous behavior for
> those that don't what this.
> As fo the release plugin, it should simply use the fixed date (if the
> property is not set), having a warning seem ugly the same way as the
> sourceEncoding warning was ugly.
> 
> Now, in my experience, sometimes setting the outputTimestamp is not enought
> and is not a silver bullet to make a reproducible build.
> 
> So just to be clear, what is the really the end goal of enabling it by
> default? I know the advantages and benefits, but what would be the goal of
> having this opt-out instead of having it opt-in?
> 
> 
> 
> On Wed, Sep 25, 2024 at 11:03 AM Martin Desruisseaux <
> martin.desruisse...@geomatys.com> wrote:
> 
> > Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :
> > >>
> > >> For me this looks more like an issue of the jar plugin and should
> > >> probably be handled there, then even though I wonder why the zip
> > >> entries need a timestamp for a jar to be reproducible, should it not
> > >> be enough to compare the zip-entries and leave the timestamp alone?
> > >>
> > > The idea of a reproducible build is to create binary exact artifacts
> > > which you can quickly calculate checksum to compare with some
> > > reference build. As the timestamp entry is used in zip/JARs, it
> > > changes the binary representation of a jar as well. So yeah, that's
> > > important.
> > >
> > (note: I'm duplicating here a comment I just made on the PR). I guess
> > that checksum is not a goal in itself, but the higher level goal is
> > security (checking that a JAR file has not been compromised)? If yes,
> > then we do not necessarily need bit for bit reproducibility.
> > "Semantically reproducible build" or "semantic equivalency" can be as
> > good or even better, as it does not force us to throw away useful
> > metadata like the real build time. Microsoft has short discussion about
> > semantic equivalency there:
> >
> > https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible
> >
> > Could the real issue be that we do not have a Maven plugin for making
> > semantic equivalency check easy? E.g. a plugin that build a project and
> > automatically compare semantically against the JAR file on Maven Central
> > or elsewhere?
> >
> >  Martin
> >
> >
> 

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread John Neffenger
A follow-up message for those not familiar with the SOURCE_DATE_EPOCH 
environment variable ...


On 9/25/24 9:22 AM, John Neffenger wrote:

That makes sense, but in general, I always set the date like this:

   SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
   export SOURCE_DATE_EPOCH

I pass that to Maven with:

   
     ${env.SOURCE_DATE_EPOCH}
   


The page below describes the variable, including a link to its 
specification:


SOURCE_DATE_EPOCH
https://reproducible-builds.org/docs/source-date-epoch/

The following page gives more background information:

ReproducibleBuilds/StandardEnvironmentVariables
https://wiki.debian.org/ReproducibleBuilds/StandardEnvironmentVariables

John


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread John Neffenger

On 9/25/24 7:23 AM, Jorge Solórzano wrote:

* Using the SCM last commit date is a bad choice, not everyone will use SCM
or the source code could be downloaded without scm information (eg.: Source
Code download links from GitHub), so this is a -1 for me.


That makes sense, but in general, I always set the date like this:

  SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)
  export SOURCE_DATE_EPOCH

I pass that to Maven with:

  
${env.SOURCE_DATE_EPOCH}
  


* This leaves us with the fixed value by default, the current value (in the
PR) is 2001-01-01T00:00:00Z this is a good approach, but my personal
preference is to set it to 1980-01-01T00:00:02Z, the minimal date allowed.


Right! See my comment below on the pull request that added this feature 
to the 'jar' and 'jmod' tools in the JDK:


https://github.com/openjdk/jdk/pull/6481#issuecomment-984220137

Just for reference, at the time of my comment, Debian added 12 hours 1 
minute to the first second of 1980 for their default value 
(1980-01-01T12:01:00Z), while Gradle skipped to the next month 
(1980-02-01T00:00:00Z).


The main thing is to avoid 1980-01-01T00:00:00Z, 1980-01-01T00:00:01Z, 
and any earlier instant.



There should be a way to opt out of this and get the previous behavior for
those that don't what this.


How about just using SOURCE_DATE_EPOCH directly when defined? I guess 
that's more opt-in than opt-out, but it would at least let me avoid 
having to define 'project.build.outputTimestamp' in all my projects.


John


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Xeno Amess
Hi. if web-download cache be in part of your, Reproducible Builds?

Jorge Solórzano  于2024年9月25日周三 22:26写道:

> There are some solutions/alternatives here:
>
> 1) Fixed value by default.
> 2) Warning to the user for having reproducible builds off.
> 3) Use the SCM last commit date.
>
> I have worked a tiny bit for the Reproducible Builds effort so here is my 2
> cents:
>
> * Using the SCM last commit date is a bad choice, not everyone will use SCM
> or the source code could be downloaded without scm information (eg.: Source
> Code download links from GitHub), so this is a -1 for me.
> * Throw a warning to the user to force the set of the project.build
> .outputTimestamp value is also a -1 for me, this reminds me of the project.
> build.sourceEncoding that was changed in Maven 4 to UTF-8 by default, and
> having that default value is the correct way to proceed instead of an ugly
> warning.
> * This leaves us with the fixed value by default, the current value (in the
> PR) is 2001-01-01T00:00:00Z this is a good approach, but my personal
> preference is to set it to 1980-01-01T00:00:02Z, the minimal date allowed.
>
> There should be a way to opt out of this and get the previous behavior for
> those that don't what this.
> As fo the release plugin, it should simply use the fixed date (if the
> property is not set), having a warning seem ugly the same way as the
> sourceEncoding warning was ugly.
>
> Now, in my experience, sometimes setting the outputTimestamp is not enought
> and is not a silver bullet to make a reproducible build.
>
> So just to be clear, what is the really the end goal of enabling it by
> default? I know the advantages and benefits, but what would be the goal of
> having this opt-out instead of having it opt-in?
>
>
>
> On Wed, Sep 25, 2024 at 11:03 AM Martin Desruisseaux <
> martin.desruisse...@geomatys.com> wrote:
>
> > Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :
> > >>
> > >> For me this looks more like an issue of the jar plugin and should
> > >> probably be handled there, then even though I wonder why the zip
> > >> entries need a timestamp for a jar to be reproducible, should it not
> > >> be enough to compare the zip-entries and leave the timestamp alone?
> > >>
> > > The idea of a reproducible build is to create binary exact artifacts
> > > which you can quickly calculate checksum to compare with some
> > > reference build. As the timestamp entry is used in zip/JARs, it
> > > changes the binary representation of a jar as well. So yeah, that's
> > > important.
> > >
> > (note: I'm duplicating here a comment I just made on the PR). I guess
> > that checksum is not a goal in itself, but the higher level goal is
> > security (checking that a JAR file has not been compromised)? If yes,
> > then we do not necessarily need bit for bit reproducibility.
> > "Semantically reproducible build" or "semantic equivalency" can be as
> > good or even better, as it does not force us to throw away useful
> > metadata like the real build time. Microsoft has short discussion about
> > semantic equivalency there:
> >
> > https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible
> >
> > Could the real issue be that we do not have a Maven plugin for making
> > semantic equivalency check easy? E.g. a plugin that build a project and
> > automatically compare semantically against the JAR file on Maven Central
> > or elsewhere?
> >
> >  Martin
> >
> >
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Jorge Solórzano
There are some solutions/alternatives here:

1) Fixed value by default.
2) Warning to the user for having reproducible builds off.
3) Use the SCM last commit date.

I have worked a tiny bit for the Reproducible Builds effort so here is my 2
cents:

* Using the SCM last commit date is a bad choice, not everyone will use SCM
or the source code could be downloaded without scm information (eg.: Source
Code download links from GitHub), so this is a -1 for me.
* Throw a warning to the user to force the set of the project.build
.outputTimestamp value is also a -1 for me, this reminds me of the project.
build.sourceEncoding that was changed in Maven 4 to UTF-8 by default, and
having that default value is the correct way to proceed instead of an ugly
warning.
* This leaves us with the fixed value by default, the current value (in the
PR) is 2001-01-01T00:00:00Z this is a good approach, but my personal
preference is to set it to 1980-01-01T00:00:02Z, the minimal date allowed.

There should be a way to opt out of this and get the previous behavior for
those that don't what this.
As fo the release plugin, it should simply use the fixed date (if the
property is not set), having a warning seem ugly the same way as the
sourceEncoding warning was ugly.

Now, in my experience, sometimes setting the outputTimestamp is not enought
and is not a silver bullet to make a reproducible build.

So just to be clear, what is the really the end goal of enabling it by
default? I know the advantages and benefits, but what would be the goal of
having this opt-out instead of having it opt-in?



On Wed, Sep 25, 2024 at 11:03 AM Martin Desruisseaux <
martin.desruisse...@geomatys.com> wrote:

> Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :
> >>
> >> For me this looks more like an issue of the jar plugin and should
> >> probably be handled there, then even though I wonder why the zip
> >> entries need a timestamp for a jar to be reproducible, should it not
> >> be enough to compare the zip-entries and leave the timestamp alone?
> >>
> > The idea of a reproducible build is to create binary exact artifacts
> > which you can quickly calculate checksum to compare with some
> > reference build. As the timestamp entry is used in zip/JARs, it
> > changes the binary representation of a jar as well. So yeah, that's
> > important.
> >
> (note: I'm duplicating here a comment I just made on the PR). I guess
> that checksum is not a goal in itself, but the higher level goal is
> security (checking that a JAR file has not been compromised)? If yes,
> then we do not necessarily need bit for bit reproducibility.
> "Semantically reproducible build" or "semantic equivalency" can be as
> good or even better, as it does not force us to throw away useful
> metadata like the real build time. Microsoft has short discussion about
> semantic equivalency there:
>
> https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible
>
> Could the real issue be that we do not have a Maven plugin for making
> semantic equivalency check easy? E.g. a plugin that build a project and
> automatically compare semantically against the JAR file on Maven Central
> or elsewhere?
>
>  Martin
>
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Martin Desruisseaux

Le 2024-09-25 à 06 h 52, Mateusz Gajewski a écrit :


For me this looks more like an issue of the jar plugin and should 
probably be handled there, then even though I wonder why the zip 
entries need a timestamp for a jar to be reproducible, should it not 
be enough to compare the zip-entries and leave the timestamp alone?


The idea of a reproducible build is to create binary exact artifacts 
which you can quickly calculate checksum to compare with some 
reference build. As the timestamp entry is used in zip/JARs, it 
changes the binary representation of a jar as well. So yeah, that's 
important.


(note: I'm duplicating here a comment I just made on the PR). I guess 
that checksum is not a goal in itself, but the higher level goal is 
security (checking that a JAR file has not been compromised)? If yes, 
then we do not necessarily need bit for bit reproducibility. 
"Semantically reproducible build" or "semantic equivalency" can be as 
good or even better, as it does not force us to throw away useful 
metadata like the real build time. Microsoft has short discussion about 
semantic equivalency there:


   https://github.com/microsoft/OSSGadget/wiki/OSS-Reproducible

Could the real issue be that we do not have a Maven plugin for making 
semantic equivalency check easy? E.g. a plugin that build a project and 
automatically compare semantically against the JAR file on Maven Central 
or elsewhere?


    Martin



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Guillaume Nodet
Another solution is to migrate to the 4.1.0 Maven model and add the
root="true" attribute in the root project pom.
The ".mvn" is a way to support both Maven 3 and 4 for a project.

Le mer. 25 sept. 2024 à 08:41, Richard Eckart de Castilho
 a écrit :
>
> Please do not make us have to create an empty directory just to please
> the build tool...
>
> -- Richard
>
> > On 24. Sep 2024, at 23:06, Tamás Cservenák  wrote:
> >
> > So, essentially, if you have a Maven3 project, and you want to build it
> > with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
> > directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
> > already have ".mvn" directory in the proper place.
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>


-- 

Guillaume Nodet

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Romain Manni-Bucau
Ultimatly we could use scm abstraction to use latest commit date, would be
almost always ok (except for stale cases and no scm but these cases dont
care abojt reproducibility).
Can just need a quick impl for git maybe to not penalise builds (direct
.git head file read if possible)

Le mer. 25 sept. 2024 à 09:05, Delany  a écrit :

> What about an empty .mvn/maven.config file?
> Delany
>
> On Wed, 25 Sept 2024 at 08:41, Richard Eckart de Castilho 
> wrote:
>
> > Please do not make us have to create an empty directory just to please
> > the build tool...
> >
> > -- Richard
> >
> > > On 24. Sep 2024, at 23:06, Tamás Cservenák 
> wrote:
> > >
> > > So, essentially, if you have a Maven3 project, and you want to build it
> > > with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
> > > directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
> > > already have ".mvn" directory in the proper place.
> >
> >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
> >
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-25 Thread Delany
What about an empty .mvn/maven.config file?
Delany

On Wed, 25 Sept 2024 at 08:41, Richard Eckart de Castilho 
wrote:

> Please do not make us have to create an empty directory just to please
> the build tool...
>
> -- Richard
>
> > On 24. Sep 2024, at 23:06, Tamás Cservenák  wrote:
> >
> > So, essentially, if you have a Maven3 project, and you want to build it
> > with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
> > directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
> > already have ".mvn" directory in the proper place.
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Richard Eckart de Castilho
Please do not make us have to create an empty directory just to please 
the build tool...

-- Richard

> On 24. Sep 2024, at 23:06, Tamás Cservenák  wrote:
> 
> So, essentially, if you have a Maven3 project, and you want to build it
> with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
> directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
> already have ".mvn" directory in the proper place.



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Mateusz Gajewski
On Wed, Sep 25, 2024 at 5:58 AM Christoph Läubrich 
wrote:

>  > yes, this is the idea: there is no other option I can imagine to get
> a reproducible zip entries timestamp, whatever the precise value of the
> timestamp it is
>  > If anybody has any other algorithm idea (that supports wide reality
> of situation: not everything is built from Git, for example), I'm all
> ears open
>
> For me this looks more like an issue of the jar plugin and should
> probably be handled there, then even though I wonder why the zip entries
> need a timestamp for a jar to be reproducible, should it not be enough
> to compare the zip-entries and leave the timestamp alone?
>

The idea of a reproducible build is to create binary exact artifacts which
you can quickly calculate checksum to compare with some reference build. As
the timestamp entry is used in zip/JARs, it changes the binary
representation of a jar as well. So yeah, that's important.

>
> Am 24.09.24 um 22:54 schrieb Herve Boutemy:
> >> Or is the idea to have a *fixed* *default* timestamp for all builds?
> >
> > yes, this is the idea: there is no other option I can imagine to get a
> reproducible zip entries timestamp, whatever the precise value of the
> timestamp it is
> >
> > If anybody has any other algorithm idea (that supports wide reality of
> situation: not everything is built from Git, for example), I'm all ears open
> >
> > if people want to discuss the exact default value chosen, we can also: I
> don't care about this value, it just has to be defined
> >
> > Regards,
> >
> > Hervé
> >
> > On 2024/09/24 11:49:45 Ceki Gulcu wrote:
> >>
> >> Hi Hervé,
> >>
> >>
> >> In my opinion, the value of  should be
> >> part of the pom.xml file and thus visible after the build. Otherwise,
> >> how can the build be reproducible?
> >>
> >> Or is the idea to have a *fixed* *default* timestamp for all builds?
> >>
> >> --
> >> Ceki Gülcü
> >>
> >> Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
> >>
> >>
> >>
> >> On 24/09/2024 11:21, Olivier Lamy wrote:
> >>> Hi
> >>> It looks like you have some comments on the PR :)
> >>> I know it's been implemented as is for a long time now, but I wonder I
> >>> (and it looks like a few others) wonder if we could avoid this
> >>> "random" build timestamp.
> >>>
> >>>
> >>> On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy 
> wrote:
> 
>  everything is in the title
> 
>  Jira issue is https://issues.apache.org/jira/browse/MNG-8258
>  PR is https://github.com/apache/maven/pull/1726
> 
>  WDYT about merging this PR as part of the Maven 4 global update?
> 
>  Regards,
> 
>  Hervé
> 
> 
> 
>  -
>  To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>  For additional commands, e-mail: dev-h...@maven.apache.org
> 
> >>>
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >>> For additional commands, e-mail: dev-h...@maven.apache.org
> >>>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> For additional commands, e-mail: dev-h...@maven.apache.org
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Christoph Läubrich
> yes, this is the idea: there is no other option I can imagine to get 
a reproducible zip entries timestamp, whatever the precise value of the 
timestamp it is
> If anybody has any other algorithm idea (that supports wide reality 
of situation: not everything is built from Git, for example), I'm all 
ears open


For me this looks more like an issue of the jar plugin and should 
probably be handled there, then even though I wonder why the zip entries 
need a timestamp for a jar to be reproducible, should it not be enough 
to compare the zip-entries and leave the timestamp alone?


Am 24.09.24 um 22:54 schrieb Herve Boutemy:

Or is the idea to have a *fixed* *default* timestamp for all builds?


yes, this is the idea: there is no other option I can imagine to get a 
reproducible zip entries timestamp, whatever the precise value of the timestamp 
it is

If anybody has any other algorithm idea (that supports wide reality of 
situation: not everything is built from Git, for example), I'm all ears open

if people want to discuss the exact default value chosen, we can also: I don't 
care about this value, it just has to be defined

Regards,

Hervé

On 2024/09/24 11:49:45 Ceki Gulcu wrote:


Hi Hervé,


In my opinion, the value of  should be
part of the pom.xml file and thus visible after the build. Otherwise,
how can the build be reproducible?

Or is the idea to have a *fixed* *default* timestamp for all builds?

--
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch



On 24/09/2024 11:21, Olivier Lamy wrote:

Hi
It looks like you have some comments on the PR :)
I know it's been implemented as is for a long time now, but I wonder I
(and it looks like a few others) wonder if we could avoid this
"random" build timestamp.


On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy  wrote:


everything is in the title

Jira issue is https://issues.apache.org/jira/browse/MNG-8258
PR is https://github.com/apache/maven/pull/1726

WDYT about merging this PR as part of the Maven 4 global update?

Regards,

Hervé



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Tamás Cservenák
Not just that (def value):
release plugin will NOT update the timestamp, if value is "inherited" from
super POM, as opposed to "property is present in top level reactor POM".
At least this is what I see from release sources, may be wrong. Still, the
simplest is to have property in the project (parent).

Hence I think Maven warning is "cleanest" and also simplest thing we can do
for now, especially as Maven4 needs to transparently build Maven3
projects

Thanks
T

On Tue, Sep 24, 2024 at 11:13 PM Manfred Moser 
wrote:

> Fair enough .. that would be good as well. If we have no clear way for a
> reasonable default value .. the default can be a warning with advice.
>
> manfred
>
> On 2024-09-24 2:06 p.m., Tamás Cservenák wrote:
> > Just to tie to the previous message:
> > we also discussed making ".mvn" directory _mandatory_ (from mvn4).
> >
> > So, essentially, if you have a Maven3 project, and you want to build it
> > with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
> > directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
> > already have ".mvn" directory in the proper place.
> >
> > (otherwise, currently in Maven3 various code paths, like for start the
> one
> > in mvn script, then the one in MavenCli kicks in trying to "figure out"
> > where is .mvn)
> >
> > IMHO the same stands for this: warn the user if build is NOT
> reproducible,
> > starting from Maven4.
> >
> > Thanks
> > T
> >
> > On Tue, Sep 24, 2024 at 10:59 PM Tamás Cservenák 
> > wrote:
> >
> >> Howdy,
> >>
> >> we discussed this with Guillaume for a bit, and we got to a question:
> >> why does Maven not warn IF build is not reproducible? (somehow similar
> >> situation as with lack of .mvn directory)
> >>
> >> Yes, Maven always "does right", but in these two cases (date of the
> build
> >> and locating .mvn directory) the "heuristics" may be off, way off, and
> is
> >> better to be explicit. Hence, IMO Maven should just warn "this build is
> not
> >> reproducible (and you should do this and this to make it reproducible)".
> >>
> >> No magic, just warn the user. Probably from Maven4
> >>
> >> Thanks
> >> T
> >>
> >>
> >>
> >> On Tue, Sep 24, 2024 at 10:56 PM Herve Boutemy 
> >> wrote:
> >>
>  Or is the idea to have a *fixed* *default* timestamp for all builds?
> >>> yes, this is the idea: there is no other option I can imagine to get a
> >>> reproducible zip entries timestamp, whatever the precise value of the
> >>> timestamp it is
> >>>
> >>> If anybody has any other algorithm idea (that supports wide reality of
> >>> situation: not everything is built from Git, for example), I'm all
> ears open
> >>>
> >>> if people want to discuss the exact default value chosen, we can also:
> I
> >>> don't care about this value, it just has to be defined
> >>>
> >>> Regards,
> >>>
> >>> Hervé
> >>>
> >>> On 2024/09/24 11:49:45 Ceki Gulcu wrote:
>  Hi Hervé,
> 
> 
>  In my opinion, the value of  should be
>  part of the pom.xml file and thus visible after the build. Otherwise,
>  how can the build be reproducible?
> 
>  Or is the idea to have a *fixed* *default* timestamp for all builds?
> 
>  --
>  Ceki Gülcü
> 
>  Sponsoring SLF4J/logback/reload4j at
> https://github.com/sponsors/qos-ch
> 
> 
> 
>  On 24/09/2024 11:21, Olivier Lamy wrote:
> > Hi
> > It looks like you have some comments on the PR :)
> > I know it's been implemented as is for a long time now, but I wonder
> I
> > (and it looks like a few others) wonder if we could avoid this
> > "random" build timestamp.
> >
> >
> > On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy 
> >>> wrote:
> >> everything is in the title
> >>
> >> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
> >> PR is https://github.com/apache/maven/pull/1726
> >>
> >> WDYT about merging this PR as part of the Maven 4 global update?
> >>
> >> Regards,
> >>
> >> Hervé
> >>
> >>
> >>
> >>
> -
> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> For additional commands, e-mail: dev-h...@maven.apache.org
> >>
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
> 
>  -
>  To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>  For additional commands, e-mail: dev-h...@maven.apache.org
> 
> 
> >>> -
> >>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >>> For additional commands, e-mail: dev-h...@maven.apache.org
> >>>
> >>>
>
> -
> T

Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Manfred Moser
Fair enough .. that would be good as well. If we have no clear way for a 
reasonable default value .. the default can be a warning with advice.


manfred

On 2024-09-24 2:06 p.m., Tamás Cservenák wrote:

Just to tie to the previous message:
we also discussed making ".mvn" directory _mandatory_ (from mvn4).

So, essentially, if you have a Maven3 project, and you want to build it
with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
already have ".mvn" directory in the proper place.

(otherwise, currently in Maven3 various code paths, like for start the one
in mvn script, then the one in MavenCli kicks in trying to "figure out"
where is .mvn)

IMHO the same stands for this: warn the user if build is NOT reproducible,
starting from Maven4.

Thanks
T

On Tue, Sep 24, 2024 at 10:59 PM Tamás Cservenák 
wrote:


Howdy,

we discussed this with Guillaume for a bit, and we got to a question:
why does Maven not warn IF build is not reproducible? (somehow similar
situation as with lack of .mvn directory)

Yes, Maven always "does right", but in these two cases (date of the build
and locating .mvn directory) the "heuristics" may be off, way off, and is
better to be explicit. Hence, IMO Maven should just warn "this build is not
reproducible (and you should do this and this to make it reproducible)".

No magic, just warn the user. Probably from Maven4

Thanks
T



On Tue, Sep 24, 2024 at 10:56 PM Herve Boutemy 
wrote:


Or is the idea to have a *fixed* *default* timestamp for all builds?

yes, this is the idea: there is no other option I can imagine to get a
reproducible zip entries timestamp, whatever the precise value of the
timestamp it is

If anybody has any other algorithm idea (that supports wide reality of
situation: not everything is built from Git, for example), I'm all ears open

if people want to discuss the exact default value chosen, we can also: I
don't care about this value, it just has to be defined

Regards,

Hervé

On 2024/09/24 11:49:45 Ceki Gulcu wrote:

Hi Hervé,


In my opinion, the value of  should be
part of the pom.xml file and thus visible after the build. Otherwise,
how can the build be reproducible?

Or is the idea to have a *fixed* *default* timestamp for all builds?

--
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch



On 24/09/2024 11:21, Olivier Lamy wrote:

Hi
It looks like you have some comments on the PR :)
I know it's been implemented as is for a long time now, but I wonder I
(and it looks like a few others) wonder if we could avoid this
"random" build timestamp.


On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy 

wrote:

everything is in the title

Jira issue is https://issues.apache.org/jira/browse/MNG-8258
PR is https://github.com/apache/maven/pull/1726

WDYT about merging this PR as part of the Maven 4 global update?

Regards,

Hervé



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Ceki Gulcu



Hi Hervé,

Thank you for the clarification.

If there is a fixed default timestamp value, then the timestamp in 
various builds would not respect temporal causality.


Also, people looking inside MANIFEST.MF files would get confused.

A fixed default timestamp value would inject incorrect information into 
the build for the sake of reproducibility. The timestamp is not the only 
obstacle for reproducibility is it? Anyway, and if I may say so, the 
idea of a fixed timestamp feels wrong.


Best regards,
--
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch

On 24/09/2024 22:54, Herve Boutemy wrote:

Or is the idea to have a *fixed* *default* timestamp for all builds?


yes, this is the idea: there is no other option I can imagine to get a 
reproducible zip entries timestamp, whatever the precise value of the timestamp 
it is

If anybody has any other algorithm idea (that supports wide reality of 
situation: not everything is built from Git, for example), I'm all ears open

if people want to discuss the exact default value chosen, we can also: I don't 
care about this value, it just has to be defined

Regards,

Hervé

On 2024/09/24 11:49:45 Ceki Gulcu wrote:


Hi Hervé,


In my opinion, the value of  should be
part of the pom.xml file and thus visible after the build. Otherwise,
how can the build be reproducible?

Or is the idea to have a *fixed* *default* timestamp for all builds?

--
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch



On 24/09/2024 11:21, Olivier Lamy wrote:

Hi
It looks like you have some comments on the PR :)
I know it's been implemented as is for a long time now, but I wonder I
(and it looks like a few others) wonder if we could avoid this
"random" build timestamp.


On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy  wrote:


everything is in the title

Jira issue is https://issues.apache.org/jira/browse/MNG-8258
PR is https://github.com/apache/maven/pull/1726

WDYT about merging this PR as part of the Maven 4 global update?

Regards,

Hervé



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Tamás Cservenák
Just to tie to the previous message:
we also discussed making ".mvn" directory _mandatory_ (from mvn4).

So, essentially, if you have a Maven3 project, and you want to build it
with Maven4, you MUST have a ".mvn" directory. You must create a ".mvn"
directory. This "migration" is IMHO not biggie, as MANY Maven3 projects
already have ".mvn" directory in the proper place.

(otherwise, currently in Maven3 various code paths, like for start the one
in mvn script, then the one in MavenCli kicks in trying to "figure out"
where is .mvn)

IMHO the same stands for this: warn the user if build is NOT reproducible,
starting from Maven4.

Thanks
T

On Tue, Sep 24, 2024 at 10:59 PM Tamás Cservenák 
wrote:

> Howdy,
>
> we discussed this with Guillaume for a bit, and we got to a question:
> why does Maven not warn IF build is not reproducible? (somehow similar
> situation as with lack of .mvn directory)
>
> Yes, Maven always "does right", but in these two cases (date of the build
> and locating .mvn directory) the "heuristics" may be off, way off, and is
> better to be explicit. Hence, IMO Maven should just warn "this build is not
> reproducible (and you should do this and this to make it reproducible)".
>
> No magic, just warn the user. Probably from Maven4
>
> Thanks
> T
>
>
>
> On Tue, Sep 24, 2024 at 10:56 PM Herve Boutemy 
> wrote:
>
>> > Or is the idea to have a *fixed* *default* timestamp for all builds?
>>
>> yes, this is the idea: there is no other option I can imagine to get a
>> reproducible zip entries timestamp, whatever the precise value of the
>> timestamp it is
>>
>> If anybody has any other algorithm idea (that supports wide reality of
>> situation: not everything is built from Git, for example), I'm all ears open
>>
>> if people want to discuss the exact default value chosen, we can also: I
>> don't care about this value, it just has to be defined
>>
>> Regards,
>>
>> Hervé
>>
>> On 2024/09/24 11:49:45 Ceki Gulcu wrote:
>> >
>> > Hi Hervé,
>> >
>> >
>> > In my opinion, the value of  should be
>> > part of the pom.xml file and thus visible after the build. Otherwise,
>> > how can the build be reproducible?
>> >
>> > Or is the idea to have a *fixed* *default* timestamp for all builds?
>> >
>> > --
>> > Ceki Gülcü
>> >
>> > Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
>> >
>> >
>> >
>> > On 24/09/2024 11:21, Olivier Lamy wrote:
>> > > Hi
>> > > It looks like you have some comments on the PR :)
>> > > I know it's been implemented as is for a long time now, but I wonder I
>> > > (and it looks like a few others) wonder if we could avoid this
>> > > "random" build timestamp.
>> > >
>> > >
>> > > On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy 
>> wrote:
>> > >>
>> > >> everything is in the title
>> > >>
>> > >> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
>> > >> PR is https://github.com/apache/maven/pull/1726
>> > >>
>> > >> WDYT about merging this PR as part of the Maven 4 global update?
>> > >>
>> > >> Regards,
>> > >>
>> > >> Hervé
>> > >>
>> > >>
>> > >>
>> > >> -
>> > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>> > >> For additional commands, e-mail: dev-h...@maven.apache.org
>> > >>
>> > >
>> > > -
>> > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>> > > For additional commands, e-mail: dev-h...@maven.apache.org
>> > >
>> >
>> >
>> > -
>> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>> > For additional commands, e-mail: dev-h...@maven.apache.org
>> >
>> >
>>
>> -
>> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
>> For additional commands, e-mail: dev-h...@maven.apache.org
>>
>>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Tamás Cservenák
Howdy,

we discussed this with Guillaume for a bit, and we got to a question:
why does Maven not warn IF build is not reproducible? (somehow similar
situation as with lack of .mvn directory)

Yes, Maven always "does right", but in these two cases (date of the build
and locating .mvn directory) the "heuristics" may be off, way off, and is
better to be explicit. Hence, IMO Maven should just warn "this build is not
reproducible (and you should do this and this to make it reproducible)".

No magic, just warn the user. Probably from Maven4

Thanks
T



On Tue, Sep 24, 2024 at 10:56 PM Herve Boutemy  wrote:

> > Or is the idea to have a *fixed* *default* timestamp for all builds?
>
> yes, this is the idea: there is no other option I can imagine to get a
> reproducible zip entries timestamp, whatever the precise value of the
> timestamp it is
>
> If anybody has any other algorithm idea (that supports wide reality of
> situation: not everything is built from Git, for example), I'm all ears open
>
> if people want to discuss the exact default value chosen, we can also: I
> don't care about this value, it just has to be defined
>
> Regards,
>
> Hervé
>
> On 2024/09/24 11:49:45 Ceki Gulcu wrote:
> >
> > Hi Hervé,
> >
> >
> > In my opinion, the value of  should be
> > part of the pom.xml file and thus visible after the build. Otherwise,
> > how can the build be reproducible?
> >
> > Or is the idea to have a *fixed* *default* timestamp for all builds?
> >
> > --
> > Ceki Gülcü
> >
> > Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
> >
> >
> >
> > On 24/09/2024 11:21, Olivier Lamy wrote:
> > > Hi
> > > It looks like you have some comments on the PR :)
> > > I know it's been implemented as is for a long time now, but I wonder I
> > > (and it looks like a few others) wonder if we could avoid this
> > > "random" build timestamp.
> > >
> > >
> > > On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy 
> wrote:
> > >>
> > >> everything is in the title
> > >>
> > >> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
> > >> PR is https://github.com/apache/maven/pull/1726
> > >>
> > >> WDYT about merging this PR as part of the Maven 4 global update?
> > >>
> > >> Regards,
> > >>
> > >> Hervé
> > >>
> > >>
> > >>
> > >> -
> > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > >> For additional commands, e-mail: dev-h...@maven.apache.org
> > >>
> > >
> > > -
> > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > > For additional commands, e-mail: dev-h...@maven.apache.org
> > >
> >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> >
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>


Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Herve Boutemy
> Or is the idea to have a *fixed* *default* timestamp for all builds?

yes, this is the idea: there is no other option I can imagine to get a 
reproducible zip entries timestamp, whatever the precise value of the timestamp 
it is

If anybody has any other algorithm idea (that supports wide reality of 
situation: not everything is built from Git, for example), I'm all ears open

if people want to discuss the exact default value chosen, we can also: I don't 
care about this value, it just has to be defined

Regards,

Hervé

On 2024/09/24 11:49:45 Ceki Gulcu wrote:
> 
> Hi Hervé,
> 
> 
> In my opinion, the value of  should be 
> part of the pom.xml file and thus visible after the build. Otherwise, 
> how can the build be reproducible?
> 
> Or is the idea to have a *fixed* *default* timestamp for all builds?
> 
> -- 
> Ceki Gülcü
> 
> Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch
> 
> 
> 
> On 24/09/2024 11:21, Olivier Lamy wrote:
> > Hi
> > It looks like you have some comments on the PR :)
> > I know it's been implemented as is for a long time now, but I wonder I
> > (and it looks like a few others) wonder if we could avoid this
> > "random" build timestamp.
> > 
> > 
> > On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy  wrote:
> >>
> >> everything is in the title
> >>
> >> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
> >> PR is https://github.com/apache/maven/pull/1726
> >>
> >> WDYT about merging this PR as part of the Maven 4 global update?
> >>
> >> Regards,
> >>
> >> Hervé
> >>
> >>
> >>
> >> -
> >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> >> For additional commands, e-mail: dev-h...@maven.apache.org
> >>
> > 
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> > For additional commands, e-mail: dev-h...@maven.apache.org
> > 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
> 
> 

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Manfred Moser

Without looking at the details in the PR or issue..

I strongly support this on principle. Maven was always about doing the 
right thing out of the box. I think this falls very much in that category.


+1

Manfred

On 2024-09-24 12:03 a.m., Hervé Boutemy wrote:

everything is in the title

Jira issue is https://issues.apache.org/jira/browse/MNG-8258
PR is https://github.com/apache/maven/pull/1726

WDYT about merging this PR as part of the Maven 4 global update?

Regards,

Hervé



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Ceki Gulcu



Hi Hervé,


In my opinion, the value of  should be 
part of the pom.xml file and thus visible after the build. Otherwise, 
how can the build be reproducible?


Or is the idea to have a *fixed* *default* timestamp for all builds?

--
Ceki Gülcü

Sponsoring SLF4J/logback/reload4j at https://github.com/sponsors/qos-ch



On 24/09/2024 11:21, Olivier Lamy wrote:

Hi
It looks like you have some comments on the PR :)
I know it's been implemented as is for a long time now, but I wonder I
(and it looks like a few others) wonder if we could avoid this
"random" build timestamp.


On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy  wrote:


everything is in the title

Jira issue is https://issues.apache.org/jira/browse/MNG-8258
PR is https://github.com/apache/maven/pull/1726

WDYT about merging this PR as part of the Maven 4 global update?

Regards,

Hervé



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Olivier Lamy
Hi
It looks like you have some comments on the PR :)
I know it's been implemented as is for a long time now, but I wonder I
(and it looks like a few others) wonder if we could avoid this
"random" build timestamp.


On Tue, 24 Sept 2024 at 17:05, Hervé Boutemy  wrote:
>
> everything is in the title
>
> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
> PR is https://github.com/apache/maven/pull/1726
>
> WDYT about merging this PR as part of the Maven 4 global update?
>
> Regards,
>
> Hervé
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>

-
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org



Re: [DISCUSSION] activating Reproducible Builds by default in Maven 4

2024-09-24 Thread Mateusz Gajewski
Reproducible builds are immensely helpful and if this can be supported out
of the box I’m all in :)

On Tue, Sep 24, 2024 at 09:05 Hervé Boutemy  wrote:

> everything is in the title
>
> Jira issue is https://issues.apache.org/jira/browse/MNG-8258
> PR is https://github.com/apache/maven/pull/1726
>
> WDYT about merging this PR as part of the Maven 4 global update?
>
> Regards,
>
> Hervé
>
>
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
> For additional commands, e-mail: dev-h...@maven.apache.org
>
>