Add support for reproducibility on reproducible-central #747
Comments
|
yes, we want to be compatible with reproducible central.
|
|
This is from the comment INRIA/spoon#5760 (comment)
|
The release commit will be added to the main branch automatically, when we run the release pipeline successfully. On a side note, we should fix the pipeline to wait until checks are passed to merge. |
monperrus
changed the title
5.1.0 does not exist in the main branch
monperrus
changed the title
|
there is already some files in reproducible-central about maven-lockfile: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/github/chains-project/maven-lockfile/README.md However, maven-lockfile is not reproducible. |
|
I don't think there is a good solution for this at the moment as long as quarkus is a dependency. The ordering of the content in a couple of class files produced during the build is non-deterministic which of course affects the checksum of the jar file of the github action module. See: 1, 2, 3, etc. They seem to be looking to improve on this. |
|
thanks for the analysis. why do we need quarkus? can we remove the dependency and the corresponding feature? |
|
It is a dependency of the Java package used for interaction with github actions, which essentially is the entire (relatively small) application. I'm not familiar enough with the Java packages available for this, and if there are alternatives, whether it is "worth" switching is not something I can determine. |
|
Not fixed, only added badge to readme. |
We should create a commit and push it to the default branch so that our releases have a corresponding commit. This is good because it will be easy to integrate the project with reproducible central to guarantee reproducibility.
This release may not be fixed, but for later releases we must have a commit.
The text was updated successfully, but these errors were encountered: