* I have previously done some work on making java builds reproducible (I posted some of it in this channel) and I tried my hand at it again. I'm looking for some feedback about the following:
Should java .jar archives be made deterministic using existing methods inside the build tools, which differ tool-by-tool? or Should there be one generic setup-hook, which rewrites the .jar archives' timestamps after it was built?
I have done some progress on both ways (former, latter), but I don't know which should be the one I continue working on.
The latter solution seems a bit cheat-y for me, as almost all build systems for Java have a way for reproducibility, however this method doesn't use any of those ways, but works on all build systems. One of my concerns about this is that rewriting files inside an archive is not too transparent, so we'd need to make sure no malicious code gets included in the tool.
The former solution has its own merits, however it requires more work to implement.
|