SlideShare uma empresa Scribd logo

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

H
Hervé Boutemy

Reproducible Builds

Software
1 de 35
for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
Reproducible Builds: what? why? how?
input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Gradle in Reproducible Central Need Help!
Reproducible Builds for sbt Need Help!
Quiz: to be or not to be Reproducible ?
#1 Reproducible or not? ?
#2 Reproducible or not? ?
#2 Reproducible or not? ?
?
#2 Reproducible or not?
#3 Reproducible or not? ?
#3 Reproducible or not?
#4 Reproducible or not? ? PLEASE use only LTS for release
#4 Reproducible or not? ? PLEASE use only LTS for release
What’s next?
for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
Merci

Recomendados

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
 
Maven
MavenMaven
Maven
Марія Русин
 
Maven
MavenMaven
Maven
Fabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld Presentation
Dan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow
 
Maven
MavenMaven
Maven
Shraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
mfrancis
 

Recomendados

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
 
Maven
MavenMaven
Maven
Марія Русин
 
Maven
MavenMaven
Maven
Fabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld Presentation
Dan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow
 
Maven
MavenMaven
Maven
Shraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
mfrancis
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshell
Valerio Capozio
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
Dmitry Bakaleinik
 
Session 2
Session 2Session 2
Session 2
gayathiry
 
Session 2
Session 2Session 2
Session 2
gayathiry
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
Carlos Ramirez Martinez-Eiroa
 
tools cli java
tools cli javatools cli java
tools cli java
TiNguyn863920
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven
Ankit Gubrani
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group Cologne
Software Entwicklung Beratung Schulung
 
Java build tools
Java build toolsJava build tools
Java build tools
Sujit Kumar
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
Matthew McCullough
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
Mert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit
MarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
MarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package Manager
DMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - Maven
Bert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with Django
Roger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
Kalkey
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
Luismi Amorós Martínez
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
VMware Tanzu
 
Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
info611746
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
Wave PLM
 

Mais conteúdo relacionado

Semelhante a CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
Carlos Ramirez Martinez-Eiroa
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow
 
Java build tools
Java build toolsJava build tools
Java build tools
Sujit Kumar
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
MarcinStachniuk
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
Kalkey
 

Semelhante a CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx (20)

Maven nutshell
Maven nutshellMaven nutshell
Maven nutshell
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
tools cli java
tools cli javatools cli java
tools cli java
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group Cologne
 
Java build tools
Java build toolsJava build tools
Java build tools
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package Manager
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - Maven
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with Django
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
 

Último

JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
Max Lee
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Gáspár Nagy
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Q-Advise
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Andrea Goulet
 

Último (20)

Studiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting softwareStudiovity film pre-production and screenwriting software
Studiovity film pre-production and screenwriting software
 
The Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion ProductionThe Impact of PLM Software on Fashion Production
The Impact of PLM Software on Fashion Production
 
JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)JustNaik Solution Deck (stage bus sector)
JustNaik Solution Deck (stage bus sector)
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
Crafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM IntegrationCrafting the Perfect Measurement Sheet with PLM Integration
Crafting the Perfect Measurement Sheet with PLM Integration
 
A Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data MigrationA Guideline to Zendesk to Re:amaze Data Migration
A Guideline to Zendesk to Re:amaze Data Migration
 
IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024IT Software Development Resume, Vaibhav jha 2024
IT Software Development Resume, Vaibhav jha 2024
 
INGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by DesignINGKA DIGITAL: Linked Metadata by Design
INGKA DIGITAL: Linked Metadata by Design
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdfMicrosoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
Microsoft 365 Copilot; An AI tool changing the world of work _PDF.pdf
 
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdfImplementing KPIs and Right Metrics for Agile Delivery Teams.pdf
Implementing KPIs and Right Metrics for Agile Delivery Teams.pdf
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
Workforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdfWorkforce Efficiency with Employee Time Tracking Software.pdf
Workforce Efficiency with Employee Time Tracking Software.pdf
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
how-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdfhow-to-download-files-safely-from-the-internet.pdf
how-to-download-files-safely-from-the-internet.pdf
 
How to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabberHow to install and activate eGrabber JobGrabber
How to install and activate eGrabber JobGrabber
 
AI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning FrameworkAI/ML Infra Meetup | Perspective on Deep Learning Framework
AI/ML Infra Meetup | Perspective on Deep Learning Framework
 

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

  • 1. for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
  • 2. About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
  • 3. Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
  • 5. input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 6. Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
  • 7. How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 8. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 9. Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11.
  • 13.
  • 14. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
  • 15. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
  • 16. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 17. Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
  • 18. Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 19. Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
  • 20. Gradle in Reproducible Central Need Help!
  • 21. Reproducible Builds for sbt Need Help!
  • 22. Quiz: to be or not to be Reproducible ?
  • 26. ?
  • 30. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 31. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 33. for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
  • 34. for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
  • 35. Merci

Notas do Editor

  1. Reproducible Builds started with Linux distributions: this provided much experience and tools when starting applying Reproducible Builds principles to Java, Maven and Maven Central. Today, after 4 years of hard work, more than 1600 releases from 500 projects were proven reproducible: it works at large scale! It's time to share learnings and try to expand to other languages used at the Apache Software Foundation. 40 minutes