diff options
| author | Matthias Sohn <matthias.sohn@sap.com> | 2023-10-06 01:10:40 +0200 |
|---|---|---|
| committer | Matthias Sohn <matthias.sohn@sap.com> | 2023-11-09 00:08:42 +0100 |
| commit | 6007371e3a21970dd34ae91ac20460922a15488e (patch) | |
| tree | f4c77f590e98032641d274a8714f5ead5d0e2f42 /org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.26.target | |
| parent | 97afcb050b182beacd1c6913d8293d6ba0a9989e (diff) | |
| download | jgit-6007371e3a21970dd34ae91ac20460922a15488e.tar.gz jgit-6007371e3a21970dd34ae91ac20460922a15488e.zip | |
Enable Maven reproducible builds
- configure Maven to run build reproducibly [1]
- use UTC timestamp of checked out commit as build timestamp
- add git-describe, git-commit-id, git-commit-id, git-tags,
git-remote-origin-url to MANIFEST.MF files
- configure cyclonedx-maven-plugin to also use UTC timestamp of
checked out commit
- for packaging build use tycho-buildtimestamp-jgit [2] to ensure
version uses the timestamp of the last commit
- SBOMs are not reproducible by design [3] they should have a build
timestamp matching the time when the build was executed and a serial
number which is a unique UUID per build run. Hence exclude them from
comparison [4].
- Use gmavenplus-plugin to format build timestamps. Maven expects
build timestamp in ISO-8601 format, to replace the qualifier in
versions the timestamp format must be compatible with rules for OSGi
version numbers. Didn't find a way to read the properties set by the
git-commit-id-maven-plugin from another plugin. Hence use JGit in a
groovy script to get the commit time of the current HEAD and provide
it in these two formats.
TODO: packaging build (features and p2 repository) is not yet binary
reproducible since that's not yet supported by Tycho [5], artefacts have
reproducible version numbers but file lastModified timestamps are not
yet reproducible.
Test plan for Maven build:
- build using
mvn clean install"
- verify second build is reproducible:
mvn -T1 clean verify artifact:compare
verification seems not to be thread-safe, hence run it with a single
thread using option -T1
For packaging build (still fails due to non-reproducible file
timestamps):
- build using
mvn -f org.eclipse.jgit.packaging/pom.xml clean install
- verify second build is reproducible:
mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare
[1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers
[3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84
[4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html
[5] https://github.com/eclipse-tycho/tycho/issues/233
Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
Diffstat (limited to 'org.eclipse.jgit.packaging/org.eclipse.jgit.target/jgit-4.26.target')
0 files changed, 0 insertions, 0 deletions