Provide a goal to capture build environment characteristics
kocakosm opened this issue · 3 comments
The plugin should provide a goal to capture the current build environment characteristics and write them down to a file (somehow similar in scope to Debian's .buildinfo file).
The characteristics that should be captured are (at least):
- the host OS name and architecture ("os.name" and "os.arch" system properties)
- the JDK vendor and exact version ("java.vendor" and "java.version" system properties)
This file could then, for instance, be version controlled so that the environment used to build a specific version can be reproduced by anyone willing to verify the project's binary artifacts.
Hi!
Thank you to report this issue.
Capturing the build environment characteristics does not seem so easy (it's definitively easier when you are in a "closed" environment like a Linux distro). For example, in some of my projects I also compile native code during the maven build, so I would also need to capture the name and version of the C compiler. And where to put this build env. file? I proposed several ideas in Reproducible/Verifiable Builds but I think there is nothing that could be easily and reliably done by this plugin.
Hi,
Thanks for your response.
I totally agree this is not an easy task... There are of course projects with native code out there, not to mention projects using some "advanced" maven-compiler-plugin configuration options...
I didn't know the maven project had an ongoing effort regarding reproducible builds support. There are some interesting potential solutions listed in the wiki page you mention. But as far as I understand there is still no consensus on a solution yet...
In one of my projects (with a "standard" build process, i.e. no native code, no exotic maven-compiler-plugin configuration) I use a version controlled file where I manually specify the relevant information about the environment used to release the project so that one can verify the build by getting the source from the repository specified in the deployed pom, checking-out the revision corresponding to the deployed binary, reproducing a "close enough" build environment, building the project from source and, finally, verifying that the checksum of the built artifact matches the checksum of the deployed one.
Of course this is not ideal, mainly because the maintenance of this "build info" file is manual. I tried to automatically update and commit this file in the "prepare" step of the maven-release-plugin, but
this is not easy and quite cumbersome. Also, I was wondering if having this file in the source repository was a good idea...
Anyway, I'll close this issue here since there is an "upstream" effort regarding this issue.
Thanks again for your time.
For your usecase, maybe you could use maven-enforcer-plugin as a way to force all your users to have the same java compiler and maven versions.