jar files depends on umask about reproducible-build-maven-plugin HOT 12 CLOSED

I've just published version 0.8 on Maven Central.

from reproducible-build-maven-plugin.

Hi!
Thanks for reporting this interesting issue. I think the plugin should fix that. I will have a look at it.

from reproducible-build-maven-plugin.

It may be trickier than I thought:

• In a regular JAR file, it seems that all files should/could have rw-r--r-- access rights (rwx-r-xr-x for folder). However, there may be some particular cases I'm not thinking of that could require different access rights.
• In a ZIP file (e.g. created by maven-assembly-plugin), we cannot fix/change the access rights because there may have been imposed by the user (in the assembly descriptor).

So the "best" solution I can think of is to do nothing for ZIP files, and impose rw-r--r-- for files and rwx-r-xr-x for folders inside JAR files, but I'm afraid of possible regressions.

from reproducible-build-maven-plugin.

Hi guys, could you share any news on this issue? If I got the last comment right, it's pretty safe to fix that for jar contents.
Are you going to work on it or waiting for contributions?

from reproducible-build-maven-plugin.

Hi. As I said, I'm afraid to break the artefacts by enforcing access rights. Did you face this problem in the "real life"? Most Linux distros seem to use the same default umask, and I except very few users to change it.

from reproducible-build-maven-plugin.

Unfortunatelly yes - buildsystem was out of control in my team and we found that umask was not standard after it was "silently" fixed recently, checksums of our artifacts was changed, so we had to pin umask back as a prebuild step. I'd be happy to be protected from this via your plugin as it already address a lot of things that contributes to chance to get unreproducible artifact.

I understand that it is not clear if it's safe to apply this by default, but maybe consider adding this feature as optional and enabled by flag in configuration?

from reproducible-build-maven-plugin.

Ok I will try to work on it.

from reproducible-build-maven-plugin.

I've just added a new configuration option to try to fix this problem, but I'm thinking of a potential other smarter and more flexible solution.

from reproducible-build-maven-plugin.

Cool, thank you!

from reproducible-build-maven-plugin.

tested fix OK with current master of reproducible-build-maven-plugin 9d3bf78

adding in pom.xml
<properties> <reproducible.fixZipExternalFileAttributes>true</reproducible.fixZipExternalFileAttributes> </properties>

waiting for release of 0.8 ;-)

thank you.

from reproducible-build-maven-plugin.

Hi @codespotx, thank you for your feedback. I still have to check a few things and then I will release the 0.8 version.

from reproducible-build-maven-plugin.

I made a little change so that now fixZipExternalFileAttributes=true produces the exact same artifact then with fixZipExternalFileAttributes=false AND umask=0022.
If it's ok for everybody, I'll release 0.8.

from reproducible-build-maven-plugin.