Support for project.build.outputTimestamp #233
Comments
|
Tycho uses https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers#What_does_this_actually_do.3F and some timestamp providers. It would indeed be nice to integrate both concepts (ie Tycho timestamps providers to set the property if not otherwise set and tycho-packaging-plugin using this property; and the consider extracting the timestamp providers into Tycho-independent mojos to set the property). |
|
@twz123 do you like to provide a PR for this? |
|
in many cases, the JGit provider is used and uses timestamp of last Git commit. |
|
Is this one still relevant? Esp with @laeubi 's https://github.com/eclipse/tycho/blob/master/RELEASE_NOTES.md#enhanced-support-for-maven-ci-friendly-versions which sounds related to me . |
|
These are different timestamps, and we most probably need to adjust the DefaultTimestampProvider to use this if given. |
- configure Maven to run build reproducibly [1] - use UTC timestamp of checked out commit as build timestamp - add git-describe, git-commit-id, git-commit-id, git-tags, git-remote-origin-url to MANIFEST.MF files - configure cyclonedx-maven-plugin to also use UTC timestamp of checked out commit - for packaging build use tycho-buildtimestamp-jgit [2] to ensure version uses the timestamp of the last commit - SBOMs are not reproducible by design [3] they should have a build timestamp matching the time when the build was executed and a serial number which is a unique UUID per build run. Hence exclude them from comparison [4]. - Use gmavenplus-plugin to format build timestamps. Maven expects build timestamp in ISO-8601 format, to replace the qualifier in versions the timestamp format must be compatible with rules for OSGi version numbers. Didn't find a way to read the properties set by the git-commit-id-maven-plugin from another plugin. Hence use JGit in a groovy script to get the commit time of the current HEAD and provide it in these two formats. TODO: packaging build (features and p2 repository) is not yet binary reproducible since that's not yet supported by Tycho [5], artefacts have reproducible version numbers but file lastModified timestamps are not yet reproducible. Test plan for Maven build: - build using mvn clean install" - verify second build is reproducible: mvn -T1 clean verify artifact:compare verification seems not to be thread-safe, hence run it with a single thread using option -T1 For packaging build (still fails due to non-reproducible file timestamps): - build using mvn -f org.eclipse.jgit.packaging/pom.xml clean install - verify second build is reproducible: mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare [1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html [2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers [3] CycloneDX/cyclonedx-maven-plugin#84 [4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html [5] eclipse-tycho/tycho#233 Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
As described in the Maven guide for configuring Reproducible Builds, the property
project.build.outputTimestampis used to pass around a timestamp to be used as "current time", to make builds reproducible with respect to the build time. For instance, the Maven JAR Plugin uses this value as file creation timestamp in the JAR entries. The format is described asWould be cool if e.g. tycho-packaging-plugin would support this as well, creating JARs with entries having the outputTimestamp set in their metadata, instead of the current time.
The text was updated successfully, but these errors were encountered: