Re: debian java BoF - 2014/08/25

To: debian-java@lists.debian.org
Subject: Re: debian java BoF - 2014/08/25
From: Emmanuel Bourg <ebourg@apache.org>
Date: Sat, 30 Aug 2014 23:39:13 +0200
Message-id: <[🔎] 54024481.9010109@apache.org>
In-reply-to: <[🔎] 53FE5AB9.5090704@debian.org>
References: <[🔎] 53FE5AB9.5090704@debian.org>

Le 28/08/2014 00:24, tony mancill a écrit :

> Reproducible builds:
> 
> There is interest in having reproducible builds of JARs (timestamps are
> a problem - perhaps other attributes as well?).  There will be some
> hacking in this area; the team will then assess integrating this into
> our packaging toolchain.

I'd like to highlight that the timestamp are sometimes useful for
debugging issues. For example, when a package embeds other libraries in
its jar, the timestamp on the class files may be used to guess what
version of the dependency has been embedded (see #729171 for example).

Instead of developing a tool that strips the timestamp and sorts the
content of the jars (like sortjar in ITP #759822) I'd rather suggest
developing a tool that computes the checksum of a jar by ignoring the
variable elements.

Emmanuel Bourg

Reply to:

Follow-Ups:
- Re: debian java BoF - 2014/08/25
  - From: Russ Allbery <rra@debian.org>

References:
- debian java BoF - 2014/08/25
  - From: tony mancill <tmancill@debian.org>

Prev by Date: Re: RFS: svnclientadapter/1.10.3-2 - [UPLOADED]
Next by Date: Re: debian java BoF - 2014/08/25
Previous by thread: Re: debian java BoF - 2014/08/25
Next by thread: Re: debian java BoF - 2014/08/25
Index(es):
- Date
- Thread