Make all generated archives reproducible #2204
Description
To be able to validate a release artifact (jar, tarball, zip, etc) against the state of the source tree, the artifacts need to be generated in a reproducible way.
There are a few, totally build related differences as of today:
- jar files:
META-INF/MANIFEST.MFhave different attributes (fixed)Apache-Polaris-Is-Release(depends on the-Preleasevs just-PjarWithGitinfoproperty)Apache-Polaris-Build-Git-Describe(same as above)Apache-Polaris-Build-Timestamp- could be changed to the Git commit timestamp using UTCApache-Polaris-Build-System- remove this oneApache-Polaris-Build-Java-Version- remove this one
- jar files:
META-INF/jandex.idxare reported to be different (fixed) - jar files: mtime of
META-INF/MANIFEST.MFandMETA-INF/jandex.idxvary (fixed) -
..../quarkus/generated-bytecode.jarclass files differ. Since Quarkus 3.28.2, the generated bytecode is often the same, but there is still no guarantee. - varying order of entries in Quarkus re-assembled
.../app/polaris-*.jararchives (Reproducible order of enties inapp/<project-name>.jarquarkusio/quarkus#50578) - "group write" POSIX permission varies between platforms for zip/tar archive entries (fixed via Reproducible builds: ensure unix permissions are reproducible #2819)
With all mentioned issues addressed, it should be possible to build distribution artifacts that match binary, leading to the same sha512. - source tarballs have entries with "current mtime". The source tarballs should use a fixed mtime (fixed via Reproducible builds: use a fixed mtime for all entries in the source tarball #2823)
- "Top level POM" is not reproducible, because the POM
<developers>and<contributors>elements are dynamically populated at build time (fixed via Reproducible builds: make parent pom content reproducible #2826). - Helm chart package tarball (generated via
helm package) is not reproducible,helm packagehas no options to "fix" entries' mtime and POSIX attributes.