Anand Beh opened MJAR-275 and commented
Setting project.build.outputTimestamp to a fixed value allows creating reproducible builds per this guide: https://maven.apache.org/guides/mini/guide-reproducible-builds.html However, if one adds a module-info file to the project, reproducible builds break.
This is caused by module-info.class using the latest timestamp and not project.build.outputTimestamp. I was able to identify the problem using diffoscope: https://diffoscope.org/. With it I determined the timestamp across 2 builds was constant for all but the module-info.class:
-rw---- 2.0 fat 862 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrder.class
│ -rw---- 2.0 fat 1113 bl defN 20-Oct-17 00:40 space/arim/libertybans/api/select/SelectionOrderBuilder.class
│ -rw---- 2.0 fat 2285 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.xml
│ -rw---- 2.0 fat 74 bl defN 20-Oct-17 00:40 META-INF/maven/space.arim.libertybans/bans-api/pom.properties
│ --rw---- 2.0 fat 557 bl defN 20-Oct-25 12:39 module-info.class
│ +-rw---- 2.0 fat 557 bl defN 20-Oct-25 12:41 module-info.class
Note the + and - which are diffoscope's way of indicating the difference between the .jar files. Here the project.build.outputTimestamp is on 17 October. As shown, module-info has a "rebellious" timestamp.
EDIT:
Example project to reproduce the bug:
https://github.com/A248/MJAR-275 (Renamed from https://github.com/A248/MCOMPILER-439)
Source code is also provided as an attachment below
Affects: 3.2.0
Attachments:
Issue Links:
-
MJAR-263 Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
-
MCOMPILER-542 clean JDK patch version in module-info.class
-
MJAR-285 versioned files do not use project.build.outputTimestamp
-
MSHARED-1066 Upgrade Plexus Archiver to 4.3.0
("depends upon")
Remote Links:
2 votes, 11 watchers
Anand Beh opened MJAR-275 and commented
Setting
project.build.outputTimestampto a fixed value allows creating reproducible builds per this guide: https://maven.apache.org/guides/mini/guide-reproducible-builds.html However, if one adds a module-info file to the project, reproducible builds break.This is caused by module-info.class using the latest timestamp and not
project.build.outputTimestamp. I was able to identify the problem using diffoscope: https://diffoscope.org/. With it I determined the timestamp across 2 builds was constant for all but the module-info.class:Note the + and - which are diffoscope's way of indicating the difference between the .jar files. Here the
project.build.outputTimestampis on 17 October. As shown, module-info has a "rebellious" timestamp.EDIT:
Example project to reproduce the bug:
https://github.com/A248/MJAR-275 (Renamed from https://github.com/A248/MCOMPILER-439)
Source code is also provided as an attachment below
Affects: 3.2.0
Attachments:
Issue Links:
MJAR-263 Reproducible Builds: make entries in output jar files reproducible (order + timestamp)
MCOMPILER-542 clean JDK patch version in module-info.class
MJAR-285 versioned files do not use project.build.outputTimestamp
MSHARED-1066 Upgrade Plexus Archiver to 4.3.0
("depends upon")
Remote Links:
2 votes, 11 watchers