Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.6.3
-
None
Description
When build from the source tarball, we don't have Git revision information which means the non-canonical tag with a timestamp is used. This breaks reproducibility, or at least makes reproducibility harder: you have to add a command line argument -DbuildNumber=...git commit..., as explained in 3.6.3 release notes https://maven.apache.org/docs/3.6.3/release-notes.html
Before patch:
[~/Projekte/maven]$ git clone ... [~/Projekte/maven]$ mvn clean package -Papache-release [~/Projekte/maven]$ cp apache-maven/target/apache-maven-3.7.0-SNAPSHOT-src.tar.gz ~ [~]$ tar xzf apache-maven-3.7.0-SNAPSHOT-src.tar.gz [~]$ cd apache-maven-3.7.0-SNAPSHOT/ [~/apache-maven-3.7.0-SNAPSHOT]$ mv apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1 [~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package [~/apache-maven-3.7.0-SNAPSHOT]$ mv apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2 [~/apache-maven-3.7.0-SNAPSHOT]$ cd [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1 SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1) = a38ea894346edea14cde621dfe11d5d82e0a9330e430c1fe0538f67581057001 [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2 SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2) = 404798fc51cbcfa6201e23f0e215c6d9d43aeeea0c4383a9cf5e4a0b443e4a21 [~]$ diffoscope apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2 --- apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1 +++ apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2 │ --- apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.1-content ├── +++ apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.2-content │ ├── file list │ │ @@ -71,15 +71,15 @@ │ │ -rw-r--r-- 0 root (0) root (0) 2497 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/javax.inject-1.jar │ │ -rw-r--r-- 0 root (0) root (0) 5848 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/jsr250-api-1.0.jar │ │ -rw-r--r-- 0 root (0) root (0) 263253 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/plexus-utils-3.3.0.jar │ │ -rw-r--r-- 0 root (0) root (0) 27703 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/plexus-sec-dispatcher-1.4.jar │ │ -rw-r--r-- 0 root (0) root (0) 13350 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/plexus-cipher-1.7.jar │ │ -rw-r--r-- 0 root (0) root (0) 41424 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/slf4j-api-1.7.29.jar │ │ -rw-r--r-- 0 root (0) root (0) 501879 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/commons-lang3-3.8.1.jar │ │ --rw-r--r-- 0 root (0) root (0) 631758 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar │ │ +-rw-r--r-- 0 root (0) root (0) 631756 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar │ │ -rw-r--r-- 0 root (0) root (0) 27163 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-repository-metadata-3.7.0-SNAPSHOT.jar │ │ -rw-r--r-- 0 root (0) root (0) 57769 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-artifact-3.7.0-SNAPSHOT.jar │ │ -rw-r--r-- 0 root (0) root (0) 66243 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-provider-3.7.0-SNAPSHOT.jar │ │ -rw-r--r-- 0 root (0) root (0) 180696 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-impl-1.4.1.jar │ │ -rw-r--r-- 0 root (0) root (0) 36732 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/maven-resolver-spi-1.4.1.jar │ │ -rw-r--r-- 0 root (0) root (0) 379197 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/org.eclipse.sisu.inject-0.3.4.jar │ │ -rw-r--r-- 0 root (0) root (0) 4225 2019-11-07 12:32:18.000000 apache-maven-3.7.0-SNAPSHOT/lib/plexus-component-annotations-2.1.0.jar │ ├── apache-maven-3.7.0-SNAPSHOT/lib/maven-core-3.7.0-SNAPSHOT.jar │ │┄ Command `zipinfo /dev/stdin` exited with 9. Output: │ │┄ <none> │ │ @@ -18070,21416 +18070,21416 @@ │ │ 00046950: b8ca f012 4689 da22 2f39 42cd 9313 9b31 ....F.."/9B....1 │ │ 00046960: 3b64 c7f5 f858 4a54 9d4c 815b c899 2cca ;d...XJT.L.[..,. │ │ 00046970: fdbc f841 8e0b 991c fb38 f3f3 bdac b5bf ...A.....8...... │ │ 00046980: a475 a0a4 75b0 9826 f3a0 84b4 3fd0 ace2 .u..u..&....?... │ │ 00046990: 1089 f88d cc1e f652 c9af 8f5b 715b b156 .......R...[q[.V │ │ 000469a0: 6ff7 d677 785f 9d68 64ed 09fe 1578 3776 o..wx_.hd....x7v │ │ 000469b0: 87ea ff02 504b 0304 1400 0008 0800 0964 ....PK.........d │ │ -000469c0: 674f 0086 3a5d 2b02 0000 ba03 0000 2a00 gO..:]+.......*. │ │ +000469c0: 674f 9b8f 191e 2902 0000 ba03 0000 2a00 gO....).......*. │ │ 000469d0: 0000 6f72 672f 6170 6163 6865 2f6d 6176 ..org/apache/mav │ │ 000469e0: 656e 2f6d 6573 7361 6765 732f 6275 696c en/messages/buil │ │ 000469f0: 642e 7072 6f70 6572 7469 6573 6552 4b6f d.propertieseRKo │ │ -00046a00: da40 10be f32b 4670 4954 3086 aaad 44c5 .@...+FpIT0...D. │ │ -00046a10: c125 a058 2576 c53a 8d72 8ad6 f660 af6a .%.X%v.:.r...`.j │ │ -00046a20: efba bb6b 1cfe 7dc7 0f12 aa5c 40de 996f ...k..}....\@..o │ │ -00046a30: e67b cc04 f622 4169 3005 abc0 e608 5ec5 .{..."Ai0.....^. │ │ -00046a40: 13fa 63ea 681b ae11 76aa 9629 b742 49b8 ..c.h...v..).BI. │ │ -00046a50: f1d8 ee16 e813 3528 89a3 0928 0da5 a2a6 ......5(...(.... ...
After patch:
[~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package [~/Projekte/maven]$ mv apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1 [~/apache-maven-3.7.0-SNAPSHOT]$ mvn clean package [~/Projekte/maven]$ mv apache-maven/target/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz ~/apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2 [~/apache-maven-3.7.0-SNAPSHOT]$ cd [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1 SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1) = c467f2c45239d2f8c9c61bee7fba5ffc0680a6c2e3516a89c71a83e95ef76cd6 [~]$ sha256 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2 SHA256 (apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2) = c467f2c45239d2f8c9c61bee7fba5ffc0680a6c2e3516a89c71a83e95ef76cd6 [~]$ diffoscope apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.1 apache-maven-3.7.0-SNAPSHOT-bin.tar.gz.rb.2 [~]$ echo $? 0
Attachments
Issue Links
- is depended upon by
-
MNG-6789 Make Maven distribution build Reproducible
- Closed
- links to