Guardsquare/proguard

Provide documentation on best practices when obfuscating a Gradle Kotlin multimodule Spring Boot application

matthewadams opened this issue · 2 comments

NB: This is basically an attempt to resurrect this old issue.

We looked at the example referenced in this issue, which is quite out of date now, plus, it's a single-module Gradle Groovy Spring Boot project. We had to jump through some serious hoops to get ProGuard to work in our Gradle Kotlin multimodule Spring Boot 3.x project. So many, in fact, that we entered an issue to include a Spring Intializr option to add ProGuard configuration in the generated Spring Boot project. Due to the plethora of ProGuard options, they declined.

That prompted me to request that the Spring folks partner with y'all to produce an authoritative example as a blog/article/documentation, but they declined, stating that they had no ProGuard expertise on staff.

Most of the current ProGuard documentation is specific to Android projects, but Spring Boot is an entirely different beast. As such, I second @shuishuijiao's request to add documentation, including best practices, on how to obfuscate a multimodule Gradle Kotlin Spring Boot project. There are many things to consider, and this effort cost us more than two weeks of effort. We are still not 100% confident we nailed the best practices. It seems to work, but we're pretty nervous about using our obfuscated Spring Boot jar.

As the pendulum swings away from cloud deployments toward edge-based, on-prem solutions, I think you can expect to see more and more ProGuard users obfuscating in this environment.

Hi @matthewadams !

Good to hear that you've successfully integrated ProGuard into your Spring Boot application. It's a shame that the Spring folks are not able to add ProGuard to the documentation / Initialzr project.

However, I think the knowledge you've gained in your effort to integrate ProGuard in your project could be extremely useful for you to share with others. We'd be happy to accept PRs for updating the Spring sample to a more modern sample, or adding some extra documentation to the manual. You could also share your knowledge in a post on the ProGuard community.

Having you suggest that we simply submit a PR is not what I had in mind. I was basically requesting that you work with the Spring team to document The Way™️. We do not have any confidence that what we've implemented reflects best practices, or will even work in general. We wasted much time on this, and don't really have the bandwidth to create a sample Spring Boot Gradle Kotlin multiproject that illustrates what we needed to do adequately. We'd consider a quick meeting with you to show you what we've done, but that's about the extent of it until we exit the lean startup phase (if ever).

There will be in increasing number of these use cases as edge computing offerings increase in number, and I'd think you'd see that the work effort to do this as your opportunity to capture more market share by lowering the barrier to entry for using ProGuard with Spring Boot applications. Feel free to close if you're not interested.