Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Include 'reproducible builds' sbt plugin #26546

Merged
merged 2 commits into from Mar 18, 2019
Merged

Include 'reproducible builds' sbt plugin #26546

merged 2 commits into from Mar 18, 2019

Conversation

raboof
Copy link
Member

@raboof raboof commented Mar 17, 2019

This does 2 things:

  • publish a 'buildinfo' report along with the project artifacts to describe
    the build context and parameters
  • post-process the jars to remove 'arbitrary' differences, such as jar file
    ordering and timestamps.

This makes it easier to detect and explain when 2 builds of the same source
don't produce a bit-per-bit identical result. This for example can improve
our confidence that our distribution pipeline has not been compromised.

@raboof
Include 'reproducible builds' sbt plugin
00eb517 
This does 2 things:
* publish a 'buildinfo' report along with the project artifacts to describe
the build context and parameters
* post-process the jars to remove 'arbitrary' differences, such as jar file
ordering and timestamps.

This makes it easier to detect and explain when 2 builds of the same source
don't produce a bit-per-bit identical result. This for example can improve
our confidence that our distribution pipeline has not been compromised.
@akka-ci akka-ci added validating PR is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed validating PR is currently being validated by Jenkins labels Mar 17, 2019
@akka-ci
Copy link

akka-ci commented Mar 17, 2019

Test PASSed.

johanandren
johanandren reviewed Mar 18, 2019
View reviewed changes
Copy link
Member

@johanandren johanandren left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, what does "environment" mean? System properties? Environment variables? No secrets that could leak through that?

project/OSGi.scala Outdated

object OSGi {

// The included osgiSettings that creates bundles also publish the jar files
// in the .../bundles directory which makes testing locally published artifacts
// a pain. Create bundles but publish them to the normal .../jars directory.
def osgiSettings = defaultOsgiSettings ++ Seq(
Compile / packageBin := OsgiKeys.bundle.value,
Compile / packageBin := ReproducibleBuildsPlugin.postProcessJar(OsgiKeys.bundle.value),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't it weird to sneak it in here in the OSGi config or does it have to be here to know that it happens after the OSGi bundle task

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ReproducibleBuildsPlugin.postProcessJar is normally injected into Compile/packageBin automatically by the reproducible-builds plugin. Here we replace the Compile/packageBin task wholesale with the OSGi bundle, so we need to 're-introduce' the ReproducibleBuildsPlugin.postProcessJar explicitly. We could do it elsewhere but I think that would make it even harder to follow. I'll add a comment explaining this though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couldn't it be it's own autoplugin and just express the ordering by depending on the OSGi autoplugin though?

@raboof
Copy link
Member Author

raboof commented Mar 18, 2019

what does "environment" mean? System properties? Environment variables? No secrets that could leak through that?

It includes some system properties (like java.version and os.name), but selectively so I don't think there is a risk of leaking secrets there.

@akka-ci akka-ci added validating PR is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed tested PR that was successfully built and tested by Jenkins validating PR is currently being validated by Jenkins labels Mar 18, 2019
@akka-ci
Copy link

akka-ci commented Mar 18, 2019

Test PASSed.

patriknw
patriknw approved these changes Mar 18, 2019
View reviewed changes
Copy link
Member

@patriknw patriknw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@raboof raboof merged commit 6f66981 into master Mar 18, 2019
@raboof raboof deleted the reproducibleBuilds branch March 18, 2019 16:12
@raboof raboof added this to the 2.5.22 milestone Mar 18, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patriknw patriknw patriknw approved these changes

@johanandren johanandren johanandren approved these changes

Assignees
No one assigned
Labels
tested PR that was successfully built and tested by Jenkins
Projects
None yet
Milestone
2.5.22
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@raboof @akka-ci @patriknw @johanandren