jetty-jspc-maven-plugin: Support reproducible builds #12295
Comments
|
I also found a good instruction https://vishia.org/Java/html5/source+build/reproducibleJar.html In basic usage it looks like it should be enough to add to the pom.xml a static build timestamp: <properties>
<project.build.outputTimestamp>2023-01-01T00:00:00Z</project.build.outputTimestamp>
</properties>But also we need to exclude a few generated fields from the jar manifest: <plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-jar-plugin</artifactId>
<version>3.4.2</version>
<configuration>
<archive>
<manifest>
<!-- Don't add Created-By and Build-Jdk-Spec fields to manifest for reproducible builds -->
<addDefaultEntries>false</addDefaultEntries>
</manifest>
</archive>
</configuration>
</plugin> |
|
I will check jspc plugin but I guess some generated files by Jasper may contains some timestamp. |
|
FTTR this has been added because of this finding: As you can see Jasper is adding some timestamps in generated Java files and even names in web.xml are different :( |
|
The JSPs are compiled not deterministically. Sometimes they use an early return but sometimes not. I guess this may happen because a compiler internally has some hashmap with random order. |
|
@stokito don't hesitate to activate Reproducible Builds even if one plugin is not ok: RB is a journey, it's ok not to be perfect on first iteration |
|
@stokito your Openfire project is interesting: https://github.com/igniterealtime/Openfire Having third party rebuild independently and comparing to reference is a key workflow: IIUC current latest release 4.9.0 does not try to have Reproducible Builds, it would be nice to have next release activating the Reproducible Builds flag, so we can share concrete rebuilds and their difference to the reference released binaries |
|
@stokito right after some digging. I think it's a non issue as you are using jetty 11.x (why not upgrading to 12? ;) ). This has been fixed in Apache Tomcat code with this change apache/tomcat@374690d#diff-57d2f0a72170743f6c3687a48997b2aa37d8d209efe200f00a0b9dc51fc7e572 I agree with @hboutemy we need to remove the warning coming from the Apache Maven Artifact plugin. |
|
@stokito I would consider this as not an issue. |
|
Also note, Jetty 11 is at End of Community Support. |
|
Closing this as PR to the maven plugin has been merged |
Jetty version(s)
11.0.20
Enhancement Description
The reproducible builds are needed to get an independently-verifiable path from source to binary code. This mainly means to remove build timestamps and compiler specific info.
The Maven does support them and provides a guide Configuring for Reproducible Builds.
So here is first question: does the jetty artifacts build is reproducible?
I have the jetty-jspc-maven-plugin v11.0.20 used to compile JSP pages and when I run the
mvn artifact:check-buildplanit shows the error:I'm not sure if there are any problems, maybe the plugin is perfectly fine and makes reproducible builds. Maybe this can be reported to Maven itself.
But anyway it would be great if you can officially confirm that the plugin do support such a way of building.
So do you know if any problems may arise with the plugin?
The text was updated successfully, but these errors were encountered: