in #2217, configuration has been done to ensure Reproducible Build by building 2-times on the same machine and comparing results, as checked with https://github.com/junit-team/junit5/blob/main/gradle/scripts/checkBuildReproducibility.sh

It works fine, great

There is a second level of expectation from https://reproducible-builds.org/ : a third party should be able to rebuild and get the same output

For this, we have 2 issues with the current setup:

1. Created-By: the detailed JVM info is stored in META-INF/MANIFEST for example Created-By: 17.0.8 (Azul Systems, Inc. 17.0.8+7-LTS), which forces the rebuilder to install the exact same JVM distribution (if feasible)
2. Build-Time and Build-Date are stored in META-INF/MANIFEST: perhaps we can extract the value from META-INF/MANIFEST and inject as SOURCE_DATE_EPOCH env variable, but it is really cumbersome

Conclusion:

• In theory:
  the binaries published to Maven Central are reproducible, because when rebuilding in Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/junit/junit5/README.md , these 2 differences are the only differences found: then in theory, the build environment can be worked out to match expectations to get the same output

• In practice:
  this is really hard to rebuild to get the same output: it would be nice to drop these 2 aspects, or give an easy way to override detected values when rebuilding