New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generated JAR file depends on default time zone #222
Comments
TY @ppkarwasz |
The `commons-logging` artifacts version 1.3.0 are fully reproducible except: * the SPDX descriptor. Due to moditect/moditect#222 the timezone is one of the variables to take into consideration. In this case it is `America/New_York`. **Remark**: all the artifacts that use `commons-parent` version 65 (the first one with Moditect version 1.1.0) should be reproducible too.
The `commons-logging` artifacts version 1.3.0 are fully reproducible except: * the SPDX descriptor. Due to moditect/moditect#222 the timezone is one of the variables to take into consideration. In this case it is `America/New_York`. **Remark**: all the artifacts that use `commons-parent` version 65 (the first one with Moditect version 1.1.0) should be reproducible too.
@ppkarwasz I suppose this is an issue that should be fixed by JDK: do you know if it was reported there? |
@hboutemy, it looks like a regression from JDK-7012868, but I always found submitting bugs against the JDK very frustrating (no way to answer JDK dev comments). Remark that there is another subtle difference between the original JAR entries and those generated by Moditect: the new entries have an extended timestamp extension and looking at the JDK code, there is no workaround for that either. |
workaround found for equivalent issue in maven-shade-plugin apache/maven-shade-plugin#179 in the case of moditect, it would be nice to disable extra fields (created/accessed/modified time) usage instead of trying to update f3e629b |
@hboutemy what would be the fix here? MSHADE-420 reads the time from an existing entry. What we need is to write back a given time. |
This is a hard one. Unless I am mistaken, as long you use Java's Zip File System:
Since even in Java 21 the Zip File System does not have any property to change the timezone just for this file system (cf. documentation) and setting the JVM's default timezone in the plugin is not an acceptable solution, IMHO the Until then either users must run Maven with an UTC timezone (which is an acceptable option for reproducibility) or they must use the |
Gotcha. I suppose rewriting to use |
There is also Conmons Compress. |
@garydgregory Indeed, but we'd prefer to keep dependencies at a minimum, which means rolling our sleeves and use JSL APIs, even if it means writing more code 😓 |
🎉 This issue has been resolved in |
When Moditect adds elements to an existing JAR file, it uses
ZipFileSystem
instead of the olderZipOutputStream
. Unfortunately this has a big drawback:The reason behind this is due to JDK internals:
ZipEntry#setTime/setLastModifiedTime
methods usejava.util.zip.ZipUtils#javaToExtendedDosTime
method, which is independent from the system default time zone,ZipFileSystem
on the other hand usesjdk.nio.zipfs.ZipUtils#javaToDosTime
method, which depends on the system default time zone.Reproduction
To reproduce this problem use any recent project that uses Moditect, e.g. apache/commons-logging and build it using two different time zones.
On my Debian system with JDK 17 I obtain:
The only difference is in the DOS time stamp of the entries modified by Moditect.
The text was updated successfully, but these errors were encountered: