Comments (12)
I've just published version 0.8 on Maven Central.
from reproducible-build-maven-plugin.
Hi!
Thanks for reporting this interesting issue. I think the plugin should fix that. I will have a look at it.
from reproducible-build-maven-plugin.
It may be trickier than I thought:
- In a regular JAR file, it seems that all files should/could have rw-r--r-- access rights (rwx-r-xr-x for folder). However, there may be some particular cases I'm not thinking of that could require different access rights.
- In a ZIP file (e.g. created by maven-assembly-plugin), we cannot fix/change the access rights because there may have been imposed by the user (in the assembly descriptor).
So the "best" solution I can think of is to do nothing for ZIP files, and impose rw-r--r-- for files and rwx-r-xr-x for folders inside JAR files, but I'm afraid of possible regressions.
from reproducible-build-maven-plugin.
Hi guys, could you share any news on this issue? If I got the last comment right, it's pretty safe to fix that for jar contents.
Are you going to work on it or waiting for contributions?
from reproducible-build-maven-plugin.
Hi. As I said, I'm afraid to break the artefacts by enforcing access rights. Did you face this problem in the "real life"? Most Linux distros seem to use the same default umask, and I except very few users to change it.
from reproducible-build-maven-plugin.
Unfortunatelly yes - buildsystem was out of control in my team and we found that umask was not standard after it was "silently" fixed recently, checksums of our artifacts was changed, so we had to pin umask back as a prebuild step. I'd be happy to be protected from this via your plugin as it already address a lot of things that contributes to chance to get unreproducible artifact.
I understand that it is not clear if it's safe to apply this by default, but maybe consider adding this feature as optional and enabled by flag in configuration?
from reproducible-build-maven-plugin.
Ok I will try to work on it.
from reproducible-build-maven-plugin.
I've just added a new configuration option to try to fix this problem, but I'm thinking of a potential other smarter and more flexible solution.
from reproducible-build-maven-plugin.
Cool, thank you!
from reproducible-build-maven-plugin.
tested fix OK with current master of reproducible-build-maven-plugin 9d3bf78
adding in pom.xml
<properties> <reproducible.fixZipExternalFileAttributes>true</reproducible.fixZipExternalFileAttributes> </properties>
waiting for release of 0.8 ;-)
thank you.
from reproducible-build-maven-plugin.
Hi @codespotx, thank you for your feedback. I still have to check a few things and then I will release the 0.8 version.
from reproducible-build-maven-plugin.
I made a little change so that now fixZipExternalFileAttributes=true produces the exact same artifact then with fixZipExternalFileAttributes=false AND umask=0022.
If it's ok for everybody, I'll release 0.8.
from reproducible-build-maven-plugin.
Related Issues (20)
- Support jenkins plugin .hpi HOT 1
- ManifestAttributes tag How to configure HOT 1
- eliminate the property type file timestamp in any zip type package HOT 2
- Remove timestamps from JAXB generated classes and remove sun-jaxb.episode HOT 4
- maven-project-info-reports-plugin can't get pom HOT 3
- Feature Request: Explicitly define files to be processed HOT 1
- Feature Request: Set line endings in text files HOT 8
- several `time` in git.properties file is not reproducible HOT 1
- version v0.9 cannot make jar file reproducible HOT 2
- Support multiproject HOT 4
- Spring boot project not reproducible HOT 18
- Outputs corrupt jars when in a spring boot executable project HOT 6
- strip-jar goal breaks TAR entries HOT 8
- file name is too long ( > 100 bytes) HOT 5
- war packaging with embedded jar file HOT 8
- Module-info not reproducible due to rogue timestamp HOT 3
- Can't get the includes to work for jars within Spring boot build HOT 1
- Spring Boot spring.factories causing unreproducible builds HOT 5
- Clarify the difference of latest maven support for reproducible build and features of plugin HOT 8
- CPIO support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from reproducible-build-maven-plugin.