8238650: Allow to override buildDate with SOURCE_DATE_EPOCH #99
Conversation
|
Hi bmwiedemann, welcome to this OpenJDK project and thanks for contributing! We do not recognize you as Contributor and need to ensure you have signed the Oracle Contributor Agreement (OCA). If you have not signed the OCA, please follow the instructions. Please fill in your GitHub username in the "Username" field of the application. Once you have signed the OCA, please let us know by writing If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please use "Add GitHub user bmwiedemann" as summary for the issue. If you are contributing this work on behalf of your employer and your employer has signed the OCA, please let us know by writing |
|
In addition to a signed OCA, we will need a bug filed to track this. Please read the CONTRIBUTING guidelines. |
|
/signed I filed one bug and got review ID : 9063488 |
|
Thank you! Please allow for up to two weeks to process your OCA, although it is usually done within one to two business days. Also, please note that pull requests that are pending an OCA check will not usually be evaluated, so your patience is appreciated! |
OK. |
bridgekeeper
bot
removed
oca
|
So the contributor agreement is done. How can I find the bug? |
|
The OCA needs to be validated and recorded. As for the bug, it has been transferred to the JDK project as JDK-8238650. |
in order to make builds reproducible. See https://reproducible-builds.org/ for why this is good and https://reproducible-builds.org/specs/source-date-epoch/ for the definition of this variable. Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de>
bmwiedemann
changed the title
https://www.oracle.com/technetwork/community/oca-486395.html#w now has
Thanks, somehow I had not got an email notification for that. |
Every fix (meaning each pull request) needs a unique bug ID. |
|
/reviewers 2 |
|
@kevinrushforth |
|
As an optional override, I am OK with the concept of having a way for the build to be reproducible. FWIW, I have scripts that will unpack the modular jar files and diff each class as well as doing the same for a src.zip, and it's pretty easy to tell if only VersionInfo (which is the class that records the time stamps) has changed. I note that in practice, this is useful for a certain class of builds (e.g., CI or nightly test builds), but each released build is necessarily going to be different because you want a unique time stamp and build number associated with it. I will review this (probably some time next week) and would like @johanvos to review as well. |
I agree that such specialized diff tools have some value, yet, there are also some limitations and downsides to them. E.g. you cannot simply tell another party what the expected sha256sum of a build result is. https://www.suse.com/c/?p=42014 also has a section on problems with "the use of specialized comparison tools like [openSUSE's] ‘build-compare‘ " I probably should write an FAQ entry about that topic...
For release builds, it is important that other people can take the released sources and reproduce the same original binaries with the same release number (and ideally same timestamps) to easily verify that the build was clean (not corrupted by bad CPUs/RAM/HDDs or someone messing with the build machine). |
|
Hi, did you find time to review this? |
|
No, I'm pretty backed up on reviews. It's on my queue, though. |
There was a problem hiding this comment.
Finally getting to this (sorry for the delay). This seems OK to me, as it is not an intrusive change. I do not think that actually setting this property for production builds is a good idea, so I recommend against that (ultimately that will be up to Gluon or whoever produces builds).
I'll test it once you change it from an env variable to a gradle property.
| @@ -539,7 +539,7 @@ if (jfxReleasePatchVersion == "0") { | |||
| defineProperty("RELEASE_VERSION", relVer) | |||
| defineProperty("RELEASE_VERSION_PADDED", "${jfxReleaseMajorVersion}.${jfxReleaseMinorVersion}.${jfxReleaseSecurityVersion}.${jfxReleasePatchVersion}") | |||
|
|
|||
| def buildDate = new java.util.Date() | |||
| def buildDate = System.getenv("SOURCE_DATE_EPOCH") == null ? new java.util.Date() : new java.util.Date(1000 * Long.parseLong(System.getenv("SOURCE_DATE_EPOCH"))) | |||
There was a problem hiding this comment.
This should be defined as a gradle property using defineProperty like this:
defineProperty("SOURCE_DATE_EPOCH", "")
You can then test for SOURCE_DATE_EPOCH == ""
You would pass it into the build via gradle -PSOURCE_DATE_EPOCH=...
I also recommend wrapping the line since it's pretty long.
While you are at it, can you add BUILD_TIMESTAMP to the list of properties that are logged? Look for log.quiet.
|
@bmwiedemann are you planning to pursue this PR? |
|
Long term, yes. I am currently low on time and my Java-foo is not that great, so I was hoping that someone would pick it up. |
|
I note that the JDK build recently implemented this feature in JDK 15 with JDK-8244592. |
|
Converted to a Draft PR, so that it will not show up as |
@bmwiedemann Thank you for getting this important change started. If you can finish this pull request, I'll follow up with some additional changes to support reproducible builds. Otherwise, if you're still short on time, I can pick up where you left off. So far I managed to create reproducible Java artifacts — all but the native shared libraries (and the |
|
@jgneff feel free to pick it up. When linking shared libraries, ensure that .o files are listed in deterministic order - i.e. |
|
@bmwiedemann Unknown command |
Wow, that tip was priceless! Thank you, Bernhard. It took forever to figure out where to add it, but simply adding index 8f1e04a833..9181ccc7fb 100644
--- a/buildSrc/src/main/groovy/com/sun/javafx/gradle/LinkTask.groovy
+++ b/buildSrc/src/main/groovy/com/sun/javafx/gradle/LinkTask.groovy
@@ -49,7 +49,7 @@ class LinkTask extends DefaultTask {
args("$lib");
}
// Exclude parfait files (.bc)
- args(objectDir.listFiles().findAll{ !it.getAbsolutePath().endsWith(".bc") });
+ args(objectDir.listFiles().sort().findAll{ !it.getAbsolutePath().endsWith(".bc") });
if (project.IS_WINDOWS) {
args("/out:$lib");
} else {We have reproducible builds! (Well, we have them on Linux, at least, and only after running |
Now the interesting question is, if it is possible to change |
Yes, that would be interesting, if |
|
By the way, we have reproducible builds on Linux, macOS, and Windows now! (Well, still using |
Sorted output still complies with that API, though. |
Well, that's true. I hadn't thought of it that way. I have tried twice and failed to add you as a contributor to my follow-up pull request. The only option left is the syntax "contributor add J. Duke duke@openjdk.org", but I'm not sure whether you want the e-mail address in your GitHub profile made public. Let me know whether I should pursue the problem. If you're added, it puts your name and address in the commit log with It might be useful to have a previous commit if you plan to contribute to the OpenJFX project in the future. |
|
I think PR can be closed now, in favor of PR #422 |
Allow to override buildDate with
SOURCE_DATE_EPOCHin order to make builds reproducible.
See https://reproducible-builds.org/ for why this is good
and https://reproducible-builds.org/specs/source-date-epoch/
for the definition of this variable.
This PR was done while working on reproducible builds for openSUSE.
Progress
Issue
Download
$ git fetch https://git.openjdk.java.net/jfx pull/99/head:pull/99$ git checkout pull/99