Clarify the difference of latest maven support for reproducible build and features of plugin

Question

Clarify the difference of latest maven support for reproducible build and features of plugin

zeldigas opened this issue 3 years ago · 8 comments

Hello, first I'd like to thank you again for this great plugin - I'm long time user and it helps us a lot to get reproducible artifacts.

Now getting back to issue. Right now docs mention that

Recent versions of the main Maven plugins have been modified to allow reproducible builds without the use of this plugin

I feel that by reading this, potential user might get puzzled - "What should I choose then?". Would be great to list some use-cases when stock maven functionality will be enough (I suppose it is something like building plain jar file in regular env) and scenarios when it will not be enough and using this plugin will be way more easier (or the only way to do things).

I assume this is related with some processing of custom files like properties (e.g. spring.factories) or fixing permissions of archive entries that was added in #24, but still.

Answer 1 · 2022-01-04T19:39:35.000Z

I would love to know this as well because I think that almost everything is now available out of the box from Maven ecosystem.

Answer 2 · 2022-01-06T17:51:08.000Z

Hi all,
Lots of Maven plugins have been updated to be compatible with reproducible builds (cf. https://maven.apache.org/guides/mini/guide-reproducible-builds.html and https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=74682318). I don't have a precise list of all the features of this plugin vs all the maven plugins that have been fixed, so the best way to know if this plugin is still useful for your project is to test the reproducibility without/with this plugin.

Answer 3 · 2022-01-06T18:01:32.000Z

Hopefully we can retire this plugin this year and have everything by default available.

Answer 4 · 2022-03-15T00:22:12.000Z

Hi Thomas;
I just proposed #57 to make the plugin's build reproducible, so the next release published to central can be reproduced.

On comparing what you did in this plugin (that was my starting point with you a few years ago, what a great work together) vs what is covered nowadays, we wrote the feature in the documentation http://zlika.github.io/reproducible-build-maven-plugin/ in the goal paragraph:

strip-jar fixes normal jars reproducibility: AFAIK, maven-jar-plugin now does the job
strip-jaxb fixes noise introduced by jaxb: AFAIK, it's yet to be fixed, as seen in https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/isis/isis-all-2.0.0-M7.diffoscope

Then I think only the strip-jaxb is still relevant nowadays

I'll be at Devoxx France in 1 month, I hope to see you there :)

Answer 5 · 2022-03-15T10:22:42.000Z

Thanks @hboutemy. I was not able to find a ticket for Devoxx Fr this time, I'll try Devoxx Belgium... Do you plan a talk to present these new Maven reproducible build features?

Answer 6 · 2022-03-15T17:46:04.000Z

I did not submit any talk yet: I probably should, given there are many visible results, and still much to do...