| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
| |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: I9d06bb08fc1f9a2a08d4bc5a4459ec7e7e8c1be4
|
|
|
|
| |
Change-Id: I7c93847054050a0af0d2c16e724e5755f9fa33bf
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- configure Maven to run build reproducibly [1]
- use UTC timestamp of checked out commit as build timestamp
- add git-describe, git-commit-id, git-commit-id, git-tags,
git-remote-origin-url to MANIFEST.MF files
- configure cyclonedx-maven-plugin to also use UTC timestamp of
checked out commit
- for packaging build use tycho-buildtimestamp-jgit [2] to ensure
version uses the timestamp of the last commit
- SBOMs are not reproducible by design [3] they should have a build
timestamp matching the time when the build was executed and a serial
number which is a unique UUID per build run. Hence exclude them from
comparison [4].
- Use gmavenplus-plugin to format build timestamps. Maven expects
build timestamp in ISO-8601 format, to replace the qualifier in
versions the timestamp format must be compatible with rules for OSGi
version numbers. Didn't find a way to read the properties set by the
git-commit-id-maven-plugin from another plugin. Hence use JGit in a
groovy script to get the commit time of the current HEAD and provide
it in these two formats.
TODO: packaging build (features and p2 repository) is not yet binary
reproducible since that's not yet supported by Tycho [5], artefacts have
reproducible version numbers but file lastModified timestamps are not
yet reproducible.
Test plan for Maven build:
- build using
mvn clean install"
- verify second build is reproducible:
mvn -T1 clean verify artifact:compare
verification seems not to be thread-safe, hence run it with a single
thread using option -T1
For packaging build (still fails due to non-reproducible file
timestamps):
- build using
mvn -f org.eclipse.jgit.packaging/pom.xml clean install
- verify second build is reproducible:
mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare
[1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers
[3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84
[4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html
[5] https://github.com/eclipse-tycho/tycho/issues/233
Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
|
|
|
|
|
|
|
|
| |
and specify JGit's license using its SPDX identifier.
See https://gitlab.eclipse.org/eclipsefdn/emo-team/sbom/-/blob/main/docs/sbom.adoc#sbom-maven
Change-Id: I8f022002c84200ea430325916fa38c3764979c02
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
consuming it directly from Maven Central.
The bundle net.i2p.crypto.eddsa 0.3.0 contains bad OSGi metadata,
earlier it was repackaged in Orbit tweaking its mandatory dependency to
sun.security.x509 to an optional dependency.
This project seems to be orphaned, probably because Java 15 added
support for eddsa with JEP339 [1].
This repackaged bundle is no longer available after Orbit was renovated
[2] to consume the vast majority of bundles directly from Maven Central
without repacking them. Hence we have to workaround this (probably
false) mandatory dependency. For that export an empty dummy package
"sun.security.x509" to satisfy OSGi.
[1] https://openjdk.org/jeps/339
[2] https://github.com/eclipse-orbit/orbit-simrel/issues/15
Change-Id: I2267e15823ebce6cf1d448e1e16a129f703e0f80
|
|
|
|
|
|
|
| |
- add target platform for Eclipse 4.30 (2023-12)
- update org.apache.ant to 1.10.14
Change-Id: Ib7fa7cb79e93ecd6009784bc0ad4269bfa71cb29
|
|
|
|
|
|
| |
Set upper bound to 2023.
Change-Id: I67acc12b3fe80ab7ca4a9303b0e96325a1e707e9
Signed-off-by: Thomas Wolf <twolf@apache.org>
|
|
|
|
| |
Change-Id: I918e308e71fa978c9f25e3fad63c5f2e94ec3be7
|
|
|
|
| |
Change-Id: I896298f9e94b50dda6c6396e652f4a191a722a68
|
|
|
|
| |
Change-Id: I60ad9ea9300099eeabbb5023d7a5264593e60dc0
|
|
|
|
| |
Change-Id: Ifc81f0a96c2ced0b25926b9daa539d9cfc951925
|
|
|
|
| |
Change-Id: I96097ef8c6f198220f513bbc6d5f8881834a1491
|
|
|
|
|
| |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: Ibe952d97bc178adb909cdd40f48957f5b68af699
|
|
|
|
|
|
|
|
|
|
|
| |
The jgit p2 repo should contain all 3rd party dependencies needed at
runtime but not dependencies only used in tests.
- remove assertj-core since it's only used in tests
- add org.eclipse.osgi and org.osgi.service.cm which are runtime
dependencies
Change-Id: Ie789cb8feab0905e7e23aae1d5378e82a0088992
|
|
|
|
| |
Change-Id: I6e61278467ad11d28c08ee6b49e04dac0593f3e6
|
|
|
|
| |
Change-Id: Ic62864aaf15388b8f20b2db8aa65d1dcf03465a6
|
|
|
|
| |
Change-Id: Iee257eef4cdc3235db6172e19d8d271ff9988fa4
|
|
|
|
| |
Change-Id: I49751232464e70b7d1dc3292a9f36b7a7015e44f
|
|
|
|
|
| |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: I712a9f6830364ed404d03f3a145c055906273544
|
|
|
|
|
|
| |
since it's not used anymore.
Change-Id: I884c5e5854d6a1f5b104d8d3bb0419e860fa34ca
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to bundle dependencies for hamcrest 1.3 to avoid issues with
split packages in that version.
Don't allow hamcrest 2.x yet since junit 4.13.2 still requires hamcrest
1.3.
See Orbit restructuring in
https://github.com/orgs/eclipse-orbit/discussions/49
Change-Id: I8faf519b8f2c4e4a6bd255d694d1aa28017acd85
|
|
|
|
| |
Change-Id: I62f9bacebf0a2a2cba6ffde7936572e3f05a629c
|
|
|
|
| |
Change-Id: I3b8794bdb43db12c2eacda1de27651686c41abf5
|
|
|
|
| |
Change-Id: Ib619bc09bf79c0f9e7526c0303606f314e8c1209
|
|
|
|
| |
Change-Id: Ic569f348106e917001fbaa25a302fc20cca56244
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-6.6:
Update to Tycho 4.0.1
Add verification in GcKeepFilesTest that bitmaps are generated
Express the explicit intention of creating bitmaps in GC
GC: prune all packfiles after the loosen phase
Prepare 5.13.3-SNAPSHOT builds
JGit v5.13.2.202306221912-r
Change-Id: I7294c21748897eb3f94eeffbda944b62e3206c0d
|
| |
| |
| |
| |
| |
| |
| |
| | |
Tycho 4.0.0-SNAPSHOT is no longer available and it's a bad practice to
depend on any snapshot version (we had to since this was the only way
to get gpg signing to work in time for releasing 6.6.0).
Change-Id: I1d4af5f69965b4cad50b379fd81f6f442b38c8d0
|
| |
| |
| |
| | |
Change-Id: I936d2d9106a1e3b7a98ec89fec8ae8a92ec765f2
|
| |
| |
| |
| |
| | |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: I255a979e9f48f60a251ef7b74ced3f720f012706
|
| |
| |
| |
| | |
Change-Id: I64617b17a168da1966b93c283c150d549477f3e1
|
| |
| |
| |
| |
| |
| |
| | |
Now that it is released there is no need anymore to use a snapshot
version.
Change-Id: Idd35c48022370abf18049ef4b6ddd6253613888e
Signed-off-by: Thomas Wolf <twolf@apache.org>
|
| |
| |
| |
| | |
Change-Id: Ia9de3f9fb6f51ac55a7c551cab4ce199318c1114
|
|\|
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-6.6:
Update Orbit to R20230531010532 for 2023-06
Bazel: Fix remote build execution for Java 17
Bump bazel vesion to 6.2.0
Change-Id: I107eb2cd1ce3cb7670e7418ffd74a7b94ab858a6
|
| |
| |
| |
| | |
Change-Id: I844efc4bec153931f0a7b3c694bade4f5b166295
|
| |
| |
| |
| | |
Change-Id: I0036999e2be076d4ad8231410faeff51bf9cbf52
|
| |
| |
| |
| |
| | |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: I33b45b0cf36835b289ecbb5a1a9fc4ad7fc200cd
|
| |
| |
| |
| | |
Change-Id: I7538759005b9a4eb8f1ae9337ce0056500eb7227
|
| |
| |
| |
| | |
Change-Id: I3f92a32ccf795ae8c6c4e1699d0040ac84d743c2
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* stable-6.6:
Update to Orbit S20230516204213
Prepare 6.6.0-SNAPSHOT builds
JGit v6.6.0.202305241045-m3
Prepare 6.6.0-SNAPSHOT builds
JGit v6.6.0.202305031100-m2
Change-Id: Ibceebbce6aebba7a8670de41eb39eb23b14b8c74
|
| |
| |
| |
| | |
Change-Id: I4daae47b8d2e244b78dff5ca072e41153e7e6734
|
| |
| |
| |
| | |
Change-Id: If0e4e8ce5f3e2f5170f313fb9b26b4ec0e34dab9
|
| |
| |
| |
| |
| | |
Signed-off-by: Matthias Sohn <matthias.sohn@sap.com>
Change-Id: I204708812b9cb6f98f9c29e28548b91da0d88d91
|
|/
|
|
| |
Change-Id: I50ff7ee31046cfc29a087c8963be3deae24b1c9c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We need to update to Tycho in order to force PGP signing of the
bouncycastle libraries which isn't supported by earlier Tycho versions.
For that we need to run Maven on Java 17 or higher.
In order to run tests on Java 11 add a `toolchain.xml` file into the
`~/.m2` directory providing the path to Java installations:
<?xml version='1.0' encoding='UTF-8'?>
<toolchains>
<toolchain>
<type>jdk</type>
<provides>
<id>JavaSE-11</id>
<version>11</version>
</provides>
<configuration>
<jdkHome>/path/to/java-11</jdkHome>
</configuration>
</toolchain>
<toolchain>
<type>jdk</type>
<provides>
<id>JavaSE-17</id>
<version>17</version>
</provides>
<configuration>
<jdkHome>/path/to/java-17</jdkHome>
</configuration>
</toolchain>
</toolchains>
Change-Id: Ib0f18147826e5b4a7fa1f41590772516269de702
|
|
|
|
|
|
|
|
|
| |
This ensures bundles directly pulled from Maven Central are PGP signed
by Tycho.
See https://docs.google.com/document/d/1MnDBvOUwKvKacB-QKnH_PzK88dUlHkjs-D-DWEKmvkY
Change-Id: I2a9308c091e602d40a1c143edb506a3e43dd0dc2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This reverts commit 7e094c6cf32d6b6c2e49c72d506149427e97c5ab.
Reason: the maven artifact has a broken MANIFEST.MF with a mandatory
dependency to sun.security.x509, which is an internal package in the
JDK and moreover not needed by the bundle except for one test class
that isn't in the bundle at all.
This extra dependency makes the JGit tycho packaging build fail when
Tycho 4 is used.
We must keep using the Orbit re-packaging of this artifact, which does
not have this unnecessary mandatory dependency.
Change-Id: Ica15a5ddcada09686de3055b2b3daf081e3c5ffc
Signed-off-by: Thomas Wolf <twolf@apache.org>
|
|
|
|
| |
Change-Id: I4039b56b1cdc54ff1886c2a4973d857d785989c2
|
|
|
|
| |
Change-Id: I08e51450f70f941761539d3f08dd65c5d706dcdc
|
|
|
|
| |
Change-Id: I87d65e66e1cac64ccb744632ea45d06f8b8637fe
|
|
|
|
| |
Change-Id: I5e24a31b78ef3758e1ce84e3b0eacaff1608fcd9
|