Absolute paths in builddef.lst make the builds non reproducible #52
Comments
|
This issue has been addressed in Debian with this patch: |
|
@ebourg I think this project has been abandoned, please make a pull request to https://github.com/nickwongdev/aspectj-maven-plugin , we definitely need this. |
|
I have the same problem. |
After in the previous commit the plugin itself was improved to produce reproducible builds, this commit is about plugin users: By using a combination of 'argumentFileDirectory' and 'argumentFileName', it is now easy to generate argument files (builddef.lst) outside the target/classes and target/test-classes directories, thus making AspectJ Maven builds reproducible. Fixes a problem which also exists in the MojoHaus plugin, see mojohaus/aspectj-maven-plugin#52.
|
I just fixed this problem for the AspectJ.dev plugin variant in commit dev-aspectj/aspectj-maven-plugin@b4c9a8c. You also find comprehensive Javadoc and an example integration test there. If you add this snapshot repository https://oss.sonatype.org/content/repositories/snapshots to your POM, you can test it without building the plugin yourself. I just deployed a snapshot there. Feedback is welcome. If it works for you, I can soon publish a release. Please note that I did not follow @ebourg's example to replace absolute by relative paths for the following reasons:
The correct solution is to not package the argument files into the build artifact in the first place by locating them outside target/classes and target/test-classes. For backward compatibility, this is not the default, but with the new option P.S.: In the preceding commit dev-aspectj/aspectj-maven-plugin@a323cd2, I also made the AspectJ Maven builds themselves reproducible. Part of it has also been implemented here in the MojoHaus version, but only for the main JAR, not for the Javadoc JAR. My commit solves both issues.
Correction: The project had been inactive for ~3.5 years, which is why Nick created his fork. After he had officially abandoned that one too, I created the AspectJ.dev fork, which is actively maintained and more feature-rich than this one. As an AspectJ committer, I am trying to keep it in sync with AspectJ releases, if new plugin options make sense. For new AspectJ releases or Java versions as such, you do not even need to upgrade the plugin since 1.13.1, only upgrade the AspectJ Tools plugin dependency and increase the source, target, compliance level or release option you want. My plugin does not have a fixed upper limit for Java versions, so it does not depend on a new plugin release to upgrade Java or AspectJ. The user can do it independently. Please also note that the MojoHaus plugin is (kind of) alive again, too. At least last year there was a release 1.14.0, supporting Java 16. |
|
FYI, AspectJ.dev AspectJ Maven Plugin 1.14 containing the fix for this problem has been released and is available on Maven Central. |
aspectj-maven-plugin generates a builddef.lst file with the detailed options passed to AspectJ and this file is embedded in the final jar. The various paths appearing in this file are all absolute, which means someone else rebuilding a project using the plugin will be unable to reproduce a byte identical artifact (see https://reproducible-builds.org for why it matters).
I suggest using relative paths instead (or removing the file if it isn't important).
The text was updated successfully, but these errors were encountered: