Tentatively slated for 5.7 M1 for team discussion

The JARs that it does not apply to are junit-platform-commons and junit-platform-console as these use direct calls to the jar command as part of their builds which introduces non-determinism through the last modified timestamps.

Since all other jars use junit-platform-commons, merging this would have limited value. Is there an option for the jar command to use a fixed timestamp or can we add another task action to reset the timestamps of the jars?

As far as I'm aware, jar doesn't have the capacity to set timestamps, so we'd need to go with option 2 - happy to add that.

I imagine something that loops over the contents of the archive and sets last modified to the value of buildTimeAndDate, which can be pinned to SOURCE_DATE_EPOCH.

I think it should use the same timestamp Gradle uses:
https://github.com/gradle/gradle/blob/199fd61e4ab42e4b61fda5d70158175b078d4b9f/subprojects/core/src/main/java/org/gradle/api/internal/file/archive/ZipCopyAction.java#L42-L57

Codecov Report

Merging #2217 into master will not change coverage by %.
The diff coverage is n/a.

@@            Coverage Diff            @@
##             master    #2217   +/-   ##
=========================================
  Coverage     91.21%   91.21%           
  Complexity     4466     4466           
=========================================
  Files           383      383           
  Lines         10724    10724           
  Branches        869      869           
=========================================
  Hits           9782     9782           
  Misses          728      728           
  Partials        214      214           

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6cde364...b4ad488. Read the comment docs.

@marcphilipp - I believe that the most recent commit solves the issue for the two special-case sub-projects.

(Took https://github.com/Johni0702/gradle-reproducible-builds-plugin/blob/master/src/main/groovy/de/johni0702/gradle/ReproducibleBuildsPlugin.groovy as inspiration)

Those commits have been re-written, and the test script only returns a diff for buildSrc as discussed earlier in the PR.

The jar-rewriting has been moved to its own file under buildSrc and is imported only in the two projects that need it. Feels much cleaner!

This looks like it's almost ready to go - is there a sensible place to record this feature in the User Guide / Release Notes? (Last remaining unchecked box)

I'd say as a new section in the appendix. WDYT?

That sounds good, will add something there.

I've also added another GitHub action which will perform multiple assemble steps and compare their checksums, to ensure that future changes don't regress this property.

EDIT: This is now done and working - ready for re-review @marcphilipp

Thanks for the feedback, made changes as suggested. 👍

Thanks a lot, @mrwilson! 🎉

Glad to see this merged in! Great work @mrwilson. 🎉

Frankly speaking, I see no reason to enforce timestamps in jar files.
It could be OK to just leave them as is (==0 timestamps) and avoid repackage step.

It is required to capture the build environment: timestamp, and Java version/vendor.

Even though jar most jar files have Build-Date and Build-Time headers, it is not clear how to reproduce JUnit build.
What value should be passed to SOURCE_DATE_EPOCH ?

FYI, I just added Gradle builds support to reproducible-central
and I tested JUnit5 latest release: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/junit/junit5/README.md
sorry, there are still a few issues

The results linked via 🔍 show differences like:

│ -Created-By: 11.0.14.1 (Oracle Corporation 11.0.14.1+1)
│ +Created-By: 11.0.13 (Eclipse Adoptium 11.0.13+8)

Seems like not all "external" properties are stable - or not all expected differences are excluded from the comparison.

What is the latest result for JUnit 5.10.1?

What is the latest result for JUnit 5.10.1?

with my limited knowledge of Gradle, I can't make the build work: I need help

$ ./gradlew --no-daemon clean assemble publishToMavenLocal -x test -x signMavenPublication
...
FAILURE: Build failed with an exception.

* What went wrong:
Execution failed for task ':junit-bom:publishMavenPublicationToMavenLocal'.
> Failed to publish publication 'maven' to repository 'mavenLocal'
   > Invalid publication 'maven': artifact file does not exist: '/tmp/junit-bom/junit-bom/build/publications/maven/pom-default.xml.asc'
...

Do you know how I can fix this?

The command we use in checkBuildReproducibility.sh reads:

./gradlew --no-build-cache clean assemble --parallel -Porg.gradle.java.installations.auto-download=false -Dscan.tag.Reproducibility

Does this help?

I tried to run this command: gives build success, but I don't know what this success means

Then I tried to modify source code and rebuild: same success, even if the expected result for modified code is failure because I obvioulsy should not get the same binaries are the 5.10.1 release

then I don't know what this command does, it it does not do what I expect = check local build output against content downloaded from Maven Central

I'll try to have a look at checkBuildReproducibility.sh to figure out...

@hboutemy Our release builds currently require signing but you can use any PGP key you want. The key id in your local GPG can be configured by passing -Psigning.gnupg.keyName=<your-key-id> (e.g. the actual key would be FF6E2C001948C5F2F38B0CC385911F425EC61B51). I'll add a build option to future releases so that signing can be disabled.

thanks @marcphilipp for helping: ok, I need to drop the -x signMavenPublication, then I'm now able to build 5.10.1

another question: is there a way to configure the publishToMavenLocal output to another place than default .m2/repository? This is a flexibility that would ease my work on creating a rebuild script

for now, I checked manually (please continue helping me on the ~/.m2/rpeository part), and found that issues from 5.8.2 remain in 5.10.1, for example:

├── META-INF/MANIFEST.MF
│ @@ -1,17 +1,17 @@
│  Manifest-Version: 1.0
│ -Build-Date: 2023-11-17
│ +Build-Date: 2023-11-05
│  Build-Revision: e5f50d8720741623915979ac154b65bcbcd6a577 
│ -Build-Time: 09:46:53.210+0100
│ +Build-Time: 17:49:13.996+0100
│  Built-By: JUnit Team
│  Bundle-ManifestVersion: 2
│  Bundle-Name: JUnit Vintage Engine
│  Bundle-SymbolicName: junit-vintage-engine
│  Bundle-Version: 5.10.1
│ -Created-By: 17.0.8 (Azul Systems, Inc. 17.0.8+7-LTS)
│ +Created-By: 17.0.5 (BellSoft 17.0.5+8-LTS)
│  Export-Package: org.junit.vintage.engine;version="5.10.1";status=INTER
│   NAL;mandatory:=status;uses:="org.apiguardian.api,org.junit.platform.e
│   ngine",org.junit.vintage.engine.descriptor;version="5.10.1";status=IN
│   TERNAL;mandatory:=status;uses:="org.apiguardian.api,org.junit.platfor
│   m.engine,org.junit.platform.engine.support.descriptor,org.junit.runne
│   r,org.junit.runner.manipulation",org.junit.vintage.engine.discovery;v
│   ersion="5.10.1";status=INTERNAL;mandatory:=status;uses:="org.apiguard

for the Build-Time and Build-Date , maybe there is a command line attribute to add for me to get the same binaries as what is published to Maven Central
for the Created-By: 17.0.8 (Azul Systems, Inc. 17.0.8+7-LTS), it's a pain to have that detailed info on the JDK because I need to install exactly the same one (hoping I can find it)

for the Build-Time and Build-Date , maybe there is a command line attribute to add for me to get the same binaries as what is published to Maven Central

Set the SOURCE_DATE_EPOCH environment variable, it's picked up by the build.

# Fix build time
export SOURCE_DATE_EPOCH=$(date +%s)

Details: https://reproducible-builds.org/docs/source-date-epoch/

@hboutemy Could you please raise a new issue where we can discuss dropping the Created-By attribute?

another question: is there a way to configure the publishToMavenLocal output to another place than default .m2/repository? This is a flexibility that would ease my work on creating a rebuild script

Yes, you can call publishAllPublicationsToTempRepository instead of publishToMavenLocal to write to build/repo instead.

thanks @marcphilipp for helping: ok, I need to drop the -x signMavenPublication, then I'm now able to build 5.10.1

I've just added an option to disable signing that will help with future releases: 6238d55

Set the SOURCE_DATE_EPOCH environment variable, ...

Perhaps we can store the value used for SOURCE_DATE_EPOCH inside the Manifest.mf file for easier consumption? 🤔

Created-By: 17.0.8 (Azul Systems, Inc. 17.0.8+7-LTS), it's a pain to have that detailed info on the JDK because I need to install exactly the same one (hoping I can find it)

In practice, different JVM can produce different jars, so having a detailed JVM version does help.
I am not sure it should be in MANIFEST though, and it might be better to store it side by side with the generated jars (just like we do not store the timestamps in the jars rather than we store it separately).

@visi #3559 created, as asked by @marcphilipp
let's discuss there :)

and thanks @marcphilipp for your hints, I'll be able to improve my Gradle rebuilding script in Reproducible Central to check more projects in the future