8238650: Allow to override buildDate with SOURCE_DATE_EPOCH #422
This is a continuation of the pull request started by @bmwiedemann in January 2020. After this change is integrated, I can follow up immediately with additional pull requests that get us much closer to providing fully reproducible builds.
The only conclusive way to verify a software package is to reproduce it. That's the main point of the Linux Foundation article Preventing Supply Chain Attacks like SolarWinds by David Wheeler, Director of Open Source Supply Chain Security. "In the longer term," he writes, "I know of only one strong countermeasure for this kind of attack: verified reproducible builds."
It's not enough anymore to trust the person, organization, or company that publishes a software package. David Wheeler explains, "Assuming a system can 'never be broken into' is a failing strategy." As I see it, any project that doesn't yet allow for reproducible builds is on a list of possible attack vectors. I'd like to get OpenJFX off that list.
This is a huge undertaking involving the entire open-source community. Just Debian, for example, has over 30,000 source packages to build in a reproducible manner. Remarkably, it's almost 96 percent complete. The OpenJFX package is one of three percent still failing. Our first step towards helping in this goal is to support the
When you want to build 30,000 packages in a reproducible manner, command-line flags unique to each package aren't so helpful. The environment variable needs to be set, anyway, for the tools invoked by Gradle to pick it up. We could allow for a Gradle property in addition to the environment variable. The Gradle property would override the default current date and export the environment variable, and the environment variable would override the command-line property. I think it makes more sense in the OpenJFX build to support the environment variable directly.
With these considerations, I added the support just as recommended by the example for "Java / gradle" on the Reproducible Builds
The text was updated successfully, but these errors were encountered:
Thanks. I'll try that now. I checked and Bernhard is on the list of "OCAs submitted prior to 2021," but not on the OpenJDK Census list, in case that matters.
By the way, should I be adding my own name, too? It looks as if sometimes people do that and sometimes not. That would put me as "Author" and also on a line with "Co-authored-by" in the commit message.
/contributor add @bmwiedemann
I jumped the gun and created the follow-up pull request. I thought it might help when reviewing this pull request to have a full picture of that larger effort. Although these two changes are part of a huge undertaking in the open-source community, it turns out that the changes required on our part are quite small.