Re: [DISCUSS] checking reproducible builds

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] checking reproducible builds

Konrad Windszus-2
As creating a new maven-artifact-plugin will probably take some time, maybe it would be possible to push a release build of https://github.com/apache/maven-studies/tree/maven-buildinfo-plugin to Maven Central. Or is there already a rough schedule for coming up with the new maven-artifact-plugin?

Thanks,
Konrad

On 2020/03/08 20:04:56, "Robert Scholte" <[hidden email]> wrote:

> I'm thinking of maven-artifact-plugin, having goals related to artifacts.
> That implies that the save goal should be renamed.
> A couple of goals of the maven-dependency-plugin are actually more artifact-related are might be worth moving.
>
> Robert
>
> On 8-3-2020 13:44:07, Michael Osipov <[hidden email]> wrote:
> Am 2020-03-08 um 12:48 schrieb Hervé BOUTEMY:
> > Le dimanche 8 mars 2020, 00:31:07 CET Michael Osipov a écrit :
> >> Am 2020-03-07 um 19:04 schrieb Hervé BOUTEMY:
> >>> Le samedi 7 mars 2020, 17:39:20 CET Michael Osipov a écrit :
> >>>> This is expected because I am on 1.8.0_242. I don't have Java 7
> >>>> installed anymore on the server.
> >>>
> >>> for the discussion I wanted us to have, just being able to test and see
> >>> how we detect issues, this is perfect, isn't it?
> >>
> >> This is really nice. Here is the diffoscope output:
> > you're discovering the wonders of diffoscope :)
> >
> >>> --- maven-site-plugin-3.9.0.jar
> >>> +++ reference/maven-site-plugin-3.9.0.jar
> >>> ├── zipinfo {}
> >>> │ @@ -1,8 +1,8 @@
> > [...]
> >>> META-INF/MANIFEST.MF
> >>> │ @@ -1,10 +1,10 @@
> >>> │ Manifest-Version: 1.0
> >>> │ +Implementation-Vendor: The Apache Software Foundation^M
> >>> │ Implementation-Title: Apache Maven Site Plugin
> >>> │ Implementation-Version: 3.9.0
> >>> │ +Build-Jdk-Spec: 1.7^M
> >>> │ Specification-Vendor: The Apache Software Foundation
> >>> │ -Specification-Title: Apache Maven Site Plugin^M
> >>> │ -Build-Jdk-Spec: 1.8^M
> >>> │ Created-By: Maven Jar Plugin 3.2.0
> >>> │ +Specification-Title: Apache Maven Site Plugin^M
> >>> │ Specification-Version: 3.9
> >>> │ -Implementation-Vendor: The Apache Software Foundation^M
> >>
> >> I wonder where the CRs code from...this could be the default
> >> serialization format on every platform.
> > FYI I don't have such CRs in output on my Linux box
>
> This cannot be. See
> https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/master/src/java.base/share/classes/java/util/jar/Manifest.java
> and search for \r\n. Old Sun code uses *always* CRLF. Plase recheck on
> your side and run a hexdump on the Manifest file.
>
> >>> how did you find the experience? any improvement proposal?
> >>> and any idea on where to put this goal in the future?
> >>
> >> There is room for improvement when I quickly read the code. I will write
> >> separately on this.
> > sure, code can be improved: don't hesitate
> > but I was not asking yet for code improvement (I'm confident, it will happen)
> > but *experience* improvement
> >
> >> I'd leave as a plugin for now.
> > you mean a separate plugin? same "buildinfo" name as current? "save" goal
> > name?
>
> OK, let's talk about experience:
>
> * buildinfo may be changed to broader name, e.g.,
> maven-reproducibility-plugin. Explanain follows
> * 'save' does too much. It should save only and not compare. Save should
> either run at initialize or at build-resources phase, imho
> * Add a 'compare' goal, not phase bound. It performs the actual comparsion.
>
> Strictly speaking if the plugin is called buildinfo it should handle the
> buildinfo files only.
>
> >> At least in 3.7.x.
> > 3.7.x as Maven 3.7.x?
> > does that mean that you think it should be one day integrated into Maven core?
> > what's the rationale?
>
> Not really, but if this happens, not before 4.x. I don't have any
> rationale or entry point for this yet.
>
> Michael
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [DISCUSS] checking reproducible builds

Hervé BOUTEMY
any objection that I create a new maven-artifact-plugin Git repository
initialized with current maven-buildinfo-plugin Git history?

Regards,

Hervé

Le mercredi 27 mai 2020, 19:26:55 CEST Robert Scholte a écrit :

> maven-studies are just a sandbox, experimental code. Once it has a good
> shape, it can be promoted to a separate project. So no, we're not going to
> release the maven-buildinfo-plugin.
>
> Robert
> On 26-5-2020 23:17:29, Konrad Windszus <[hidden email]> wrote:
> As creating a new maven-artifact-plugin will probably take some time, maybe
> it would be possible to push a release build of
> https://github.com/apache/maven-studies/tree/maven-buildinfo-plugin to
> Maven Central. Or is there already a rough schedule for coming up with the
> new maven-artifact-plugin?
>
> Thanks,
> Konrad
>
> On 2020/03/08 20:04:56, "Robert Scholte" wrote:
> > I'm thinking of maven-artifact-plugin, having goals related to artifacts.
> > That implies that the save goal should be renamed.
> > A couple of goals of the maven-dependency-plugin are actually more
> > artifact-related are might be worth moving.
> >
> > Robert
> >
> > On 8-3-2020 13:44:07, Michael Osipov wrote:
> >
> > Am 2020-03-08 um 12:48 schrieb Hervé BOUTEMY:
> > > Le dimanche 8 mars 2020, 00:31:07 CET Michael Osipov a écrit :
> > >> Am 2020-03-07 um 19:04 schrieb Hervé BOUTEMY:
> > >>> Le samedi 7 mars 2020, 17:39:20 CET Michael Osipov a écrit :
> > >>>> This is expected because I am on 1.8.0_242. I don't have Java 7
> > >>>> installed anymore on the server.
> > >>>
> > >>> for the discussion I wanted us to have, just being able to test and
> > >>> see
> > >>> how we detect issues, this is perfect, isn't it?
> > >>
> > >> This is really nice. Here is the diffoscope output:
> > > you're discovering the wonders of diffoscope :)
> > >
> > >>> --- maven-site-plugin-3.9.0.jar
> > >>> +++ reference/maven-site-plugin-3.9.0.jar
> > >>> ├── zipinfo {}
> > >>> │ @@ -1,8 +1,8 @@
> > >
> > > [...]
> > >
> > >>> META-INF/MANIFEST.MF
> > >>> │ @@ -1,10 +1,10 @@
> > >>> │ Manifest-Version: 1.0
> > >>> │ +Implementation-Vendor: The Apache Software Foundation^M
> > >>> │ Implementation-Title: Apache Maven Site Plugin
> > >>> │ Implementation-Version: 3.9.0
> > >>> │ +Build-Jdk-Spec: 1.7^M
> > >>> │ Specification-Vendor: The Apache Software Foundation
> > >>> │ -Specification-Title: Apache Maven Site Plugin^M
> > >>> │ -Build-Jdk-Spec: 1.8^M
> > >>> │ Created-By: Maven Jar Plugin 3.2.0
> > >>> │ +Specification-Title: Apache Maven Site Plugin^M
> > >>> │ Specification-Version: 3.9
> > >>> │ -Implementation-Vendor: The Apache Software Foundation^M
> > >>
> > >> I wonder where the CRs code from...this could be the default
> > >> serialization format on every platform.
> > >
> > > FYI I don't have such CRs in output on my Linux box
> >
> > This cannot be. See
> > https://github.com/AdoptOpenJDK/openjdk-jdk11u/blob/master/src/java.base/s
> > hare/classes/java/util/jar/Manifest.java and search for \r\n. Old Sun code
> > uses *always* CRLF. Plase recheck on your side and run a hexdump on the
> > Manifest file.
> >
> > >>> how did you find the experience? any improvement proposal?
> > >>> and any idea on where to put this goal in the future?
> > >>
> > >> There is room for improvement when I quickly read the code. I will
> > >> write
> > >> separately on this.
> > >
> > > sure, code can be improved: don't hesitate
> > > but I was not asking yet for code improvement (I'm confident, it will
> > > happen) but *experience* improvement
> > >
> > >> I'd leave as a plugin for now.
> > >
> > > you mean a separate plugin? same "buildinfo" name as current? "save"
> > > goal
> > > name?
> >
> > OK, let's talk about experience:
> >
> > * buildinfo may be changed to broader name, e.g.,
> > maven-reproducibility-plugin. Explanain follows
> > * 'save' does too much. It should save only and not compare. Save should
> > either run at initialize or at build-resources phase, imho
> > * Add a 'compare' goal, not phase bound. It performs the actual
> > comparsion.
> >
> > Strictly speaking if the plugin is called buildinfo it should handle the
> > buildinfo files only.
> >
> > >> At least in 3.7.x.
> > >
> > > 3.7.x as Maven 3.7.x?
> > > does that mean that you think it should be one day integrated into Maven
> > > core? what's the rationale?
> >
> > Not really, but if this happens, not before 4.x. I don't have any
> > rationale or entry point for this yet.
> >
> > Michael
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [hidden email]
> > For additional commands, e-mail: [hidden email]
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]





---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]