Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jetty-jspc-maven-plugin: Support reproducible builds #12295

Closed
stokito opened this issue Sep 22, 2024 · 10 comments
Closed

jetty-jspc-maven-plugin: Support reproducible builds #12295

stokito opened this issue Sep 22, 2024 · 10 comments
Assignees

Comments

@stokito
Copy link

stokito commented Sep 22, 2024

Jetty version(s)
11.0.20

Enhancement Description
The reproducible builds are needed to get an independently-verifiable path from source to binary code. This mainly means to remove build timestamps and compiler specific info.

The Maven does support them and provides a guide Configuring for Reproducible Builds.
So here is first question: does the jetty artifacts build is reproducible?
I have the jetty-jspc-maven-plugin v11.0.20 used to compile JSP pages and when I run the mvn artifact:check-buildplan it shows the error:

[ERROR] plugin without solution org.eclipse.jetty:jetty-jspc-maven-plugin:11.0.20

I'm not sure if there are any problems, maybe the plugin is perfectly fine and makes reproducible builds. Maybe this can be reported to Maven itself.
But anyway it would be great if you can officially confirm that the plugin do support such a way of building.
So do you know if any problems may arise with the plugin?

@stokito
Copy link
Author

stokito commented Sep 22, 2024

I also found a good instruction https://vishia.org/Java/html5/source+build/reproducibleJar.html

In basic usage it looks like it should be enough to add to the pom.xml a static build timestamp:

    <properties>
        <project.build.outputTimestamp>2023-01-01T00:00:00Z</project.build.outputTimestamp>
    </properties>

But also we need to exclude a few generated fields from the jar manifest:

                <plugin>
                    <groupId>org.apache.maven.plugins</groupId>
                    <artifactId>maven-jar-plugin</artifactId>
                    <version>3.4.2</version>
                    <configuration>
                        <archive>
                            <manifest>
                                <!-- Don't add Created-By and Build-Jdk-Spec fields to manifest for reproducible builds -->
                                <addDefaultEntries>false</addDefaultEntries>
                            </manifest>
                         </archive>
                    </configuration>
                </plugin>

@olamy
Copy link
Member

olamy commented Sep 23, 2024

I will check jspc plugin but I guess some generated files by Jasper may contains some timestamp.
But this has nothing to do with jar plugin and build timestamp.

@olamy
Copy link
Member

olamy commented Sep 23, 2024

FTTR this has been added because of this finding:

https://github.com/jvm-repo-rebuild/reproducible-central/blob/96a161d34f6511830d0b2cffc9cf576d5247db9e/content/org/apache/nifi/nifi/nifi-1.16.0.diffoscope#L167

As you can see Jasper is adding some timestamps in generated Java files and even names in web.xml are different :(
I need to check Jasper/Tomcat sources for this.

@stokito
Copy link
Author

stokito commented Sep 23, 2024

The JSPs are compiled not deterministically. Sometimes they use an early return but sometimes not. I guess this may happen because a compiler internally has some hashmap with random order.
I tested on the Openfire and the issue is quite reproducible there in the xmppserver-4.10.0-SNAPSHOT.jar:/org/jivesoftware/openfire/admin/decorators/main_jsp.class

@hboutemy
Copy link
Contributor

@stokito don't hesitate to activate Reproducible Builds even if one plugin is not ok: RB is a journey, it's ok not to be perfect on first iteration

@hboutemy
Copy link
Contributor

@stokito your Openfire project is interesting: https://github.com/igniterealtime/Openfire
Do you publish your releases binaries only to GitHub releases or do you also publish to Maven Central?

Having third party rebuild independently and comparing to reference is a key workflow: IIUC current latest release 4.9.0 does not try to have Reproducible Builds, it would be nice to have next release activating the Reproducible Builds flag, so we can share concrete rebuilds and their difference to the reference released binaries

@olamy
Copy link
Member

olamy commented Sep 25, 2024

@stokito right after some digging. I think it's a non issue as you are using jetty 11.x (why not upgrading to 12? ;) ).

This has been fixed in Apache Tomcat code with this change apache/tomcat@374690d#diff-57d2f0a72170743f6c3687a48997b2aa37d8d209efe200f00a0b9dc51fc7e572

I agree with @hboutemy we need to remove the warning coming from the Apache Maven Artifact plugin.
PR to remove the warning from artifact plugin is apache/maven-artifact-plugin#57

@olamy
Copy link
Member

olamy commented Sep 25, 2024

@stokito I would consider this as not an issue.

@joakime
Copy link
Contributor

joakime commented Sep 25, 2024

Also note, Jetty 11 is at End of Community Support.

@olamy
Copy link
Member

olamy commented Sep 30, 2024

Closing this as PR to the maven plugin has been merged

@olamy olamy closed this as completed Sep 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants