From 6007371e3a21970dd34ae91ac20460922a15488e Mon Sep 17 00:00:00 2001 From: Matthias Sohn Date: Fri, 6 Oct 2023 01:10:40 +0200 Subject: Enable Maven reproducible builds - configure Maven to run build reproducibly [1] - use UTC timestamp of checked out commit as build timestamp - add git-describe, git-commit-id, git-commit-id, git-tags, git-remote-origin-url to MANIFEST.MF files - configure cyclonedx-maven-plugin to also use UTC timestamp of checked out commit - for packaging build use tycho-buildtimestamp-jgit [2] to ensure version uses the timestamp of the last commit - SBOMs are not reproducible by design [3] they should have a build timestamp matching the time when the build was executed and a serial number which is a unique UUID per build run. Hence exclude them from comparison [4]. - Use gmavenplus-plugin to format build timestamps. Maven expects build timestamp in ISO-8601 format, to replace the qualifier in versions the timestamp format must be compatible with rules for OSGi version numbers. Didn't find a way to read the properties set by the git-commit-id-maven-plugin from another plugin. Hence use JGit in a groovy script to get the commit time of the current HEAD and provide it in these two formats. TODO: packaging build (features and p2 repository) is not yet binary reproducible since that's not yet supported by Tycho [5], artefacts have reproducible version numbers but file lastModified timestamps are not yet reproducible. Test plan for Maven build: - build using mvn clean install" - verify second build is reproducible: mvn -T1 clean verify artifact:compare verification seems not to be thread-safe, hence run it with a single thread using option -T1 For packaging build (still fails due to non-reproducible file timestamps): - build using mvn -f org.eclipse.jgit.packaging/pom.xml clean install - verify second build is reproducible: mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare [1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html [2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers [3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84 [4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html [5] https://github.com/eclipse-tycho/tycho/issues/233 Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417 --- org.eclipse.jgit.packaging/pom.xml | 71 +++++++++++++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) (limited to 'org.eclipse.jgit.packaging') diff --git a/org.eclipse.jgit.packaging/pom.xml b/org.eclipse.jgit.packaging/pom.xml index ba73e9204f..715491d472 100644 --- a/org.eclipse.jgit.packaging/pom.xml +++ b/org.eclipse.jgit.packaging/pom.xml @@ -32,6 +32,7 @@ 11 4.0.2 jgit-4.17 + ${git.commit.time} @@ -223,7 +224,6 @@ json cyclonedx ${project.build.directory} - ${project.build.outputTimestamp} false @@ -235,6 +235,26 @@ + + io.github.git-commit-id + git-commit-id-maven-plugin + 6.0.0 + + + get-the-git-infos + + revision + + initialize + + + + false + true + yyyy-MM-dd'T'HH:mm:ss'Z' + UTC + + @@ -255,6 +275,30 @@ ISO-8859-1 + + org.apache.maven.plugins + maven-jar-plugin + 3.3.0 + + + + JGit ${project.artifactId} + ${project.version} + Eclipse.org - JGit + org.eclipse.jgit + ${jgit-url} + ${git.commit.id.describe} + ${git.commit.id} + ${git.commit.time} + ${git.tags} + ${git.remote.origin.url} + + + + + org.eclipse.tycho target-platform-configuration @@ -318,6 +362,22 @@ org.eclipse.tycho tycho-packaging-plugin ${tycho-version} + + + org.eclipse.tycho + tycho-buildtimestamp-jgit + ${tycho-version} + + + + jgit + + pom.xml + .polyglot.build.properties + target/ + + yyyyMMddHHmm + org.eclipse.tycho @@ -353,6 +413,15 @@ maven-site-plugin 3.12.1 + + org.apache.maven.plugins + maven-artifact-plugin + 3.5.0 + + **/*cyclonedx.json + true + + -- cgit v1.2.3