Clarify the difference of latest maven support for reproducible build and features of plugin
zeldigas opened this issue · 8 comments
Hello, first I'd like to thank you again for this great plugin - I'm long time user and it helps us a lot to get reproducible artifacts.
Now getting back to issue. Right now docs mention that
Recent versions of the main Maven plugins have been modified to allow reproducible builds without the use of this plugin
I feel that by reading this, potential user might get puzzled - "What should I choose then?". Would be great to list some use-cases when stock maven functionality will be enough (I suppose it is something like building plain jar file in regular env) and scenarios when it will not be enough and using this plugin will be way more easier (or the only way to do things).
I assume this is related with some processing of custom files like properties (e.g. spring.factories) or fixing permissions of archive entries that was added in #24, but still.
I would love to know this as well because I think that almost everything is now available out of the box from Maven ecosystem.
Hi all,
Lots of Maven plugins have been updated to be compatible with reproducible builds (cf. https://maven.apache.org/guides/mini/guide-reproducible-builds.html and https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318). I don't have a precise list of all the features of this plugin vs all the maven plugins that have been fixed, so the best way to know if this plugin is still useful for your project is to test the reproducibility without/with this plugin.
Hopefully we can retire this plugin this year and have everything by default available.
Hi Thomas;
I just proposed #57 to make the plugin's build reproducible, so the next release published to central can be reproduced.
On comparing what you did in this plugin (that was my starting point with you a few years ago, what a great work together) vs what is covered nowadays, we wrote the feature in the documentation http://zlika.github.io/reproducible-build-maven-plugin/ in the goal paragraph:
strip-jar
fixes normal jars reproducibility: AFAIK,maven-jar-plugin
now does the jobstrip-jaxb
fixes noise introduced by jaxb: AFAIK, it's yet to be fixed, as seen in https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/isis/isis-all-2.0.0-M7.diffoscope
Then I think only the strip-jaxb
is still relevant nowadays
I'll be at Devoxx France in 1 month, I hope to see you there :)
Thanks @hboutemy. I was not able to find a ticket for Devoxx Fr this time, I'll try Devoxx Belgium... Do you plan a talk to present these new Maven reproducible build features?
I did not submit any talk yet: I probably should, given there are many visible results, and still much to do...