Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

To enable reproducible builds AbstractArchiver#addFileSet should add the files in order #114

Closed
plamentotev opened this issue Jun 3, 2019 · 6 comments
Closed

To enable reproducible builds AbstractArchiver#addFileSet should add the files in order #114

plamentotev opened this issue Jun 3, 2019 · 6 comments
Assignees
@hboutemy
Labels
enhancement
Milestone
4.2.0

Comments

@plamentotev
Copy link
Member

In order to enable reproducible builds, Archiver instances should add their entries in some predictable and reproducible way. To this end AbstractArchiver#addFileSet should add the files in some order. Sorted alphabetically for example.

As the current implementation does not guarantee any particular order we could just modify it to add the entries in alphabetical order, but we may add addition argument that indicates if the entries should be sorted. What do you think?

To implement this a change in PlexusIoFileResourceCollection is required as well. I've opened a ticket for it too - codehaus-plexus/plexus-io#18
@hboutemy
Copy link
Member

no need to sort entries, which would cost some CPU cycles
Commons Compress has been updated to keep order of entries vs order of addition: see https://issues.apache.org/jira/browse/COMPRESS-485

@plamentotev
Copy link
Member Author

plamentotev commented Aug 16, 2019 via email

@hboutemy
Copy link
Member

Yes, the change in Common Compress keeps the entries in the same order they are added.
I don't know really if the addition is really reproducible: nobody wrote any test, I'm going step by step, fixing non-reproducible parts as they are clearly identified.
I just incorporated the current fixes (order as added + timestamp) in maven-sources-plugin to test: https://github.com/apache/maven-source-plugin/tree/MSOURCES-120
The result I got is:

  • on my Linux machine, with JDK 7, I get reproducible content from one git checkout
  • but as soon as I change JDK version, I get a different result in a reproducible manner (tested with JDK 8 and JDK 9, each giving a different sha1)
  • and even with JDK 7, if I build from another checkout, I get another sha1
  • I didn't yet test on other OSes

then clearly, order in which files are iterated is not reproducible, as you guessed (but did not prove ;) )
need to see more precisely where this can be done...

@michael-o
Copy link
Member

@hboutemy, I can easily test on FreeBSD with Java 7, 8, 11, 12 if you tell me what to do.

hboutemy added a commit that referenced this issue Aug 25, 2019
@hboutemy
#114 added Archiver.setFilenameComparator(Comparator<String>)
0ffc599 
permits optional ordering of archive entries to enable reproducible
builds
@hboutemy hboutemy self-assigned this Aug 25, 2019
@hboutemy hboutemy added this to the 4.2.0 milestone Aug 25, 2019
@hboutemy
Copy link
Member

hboutemy commented Aug 25, 2019
edited

API added in plexus-archiver (using codehaus-plexus/plexus-io#18 and codehaus-plexus/plexus-utils#70 updates)
Please test maven-source-plugin MSOURCES-120 branch to check that it works in any situation and report in associated Jira issue

@plamentotev
Copy link
Member Author

@hboutemy great work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hboutemy hboutemy

Labels
enhancement
Projects
None yet
Milestone
4.2.0
Development

No branches or pull requests
3 participants
@hboutemy @michael-o @plamentotev