Hi everyone, I was going to do some initial work to make our builds reproducible[1]. I was basically going to turn on the Gradle support as per [2].
Currently jarjar isn't enabled for reproducible support. There is another plugin[3] (doesn't seem very active) that we could use to repack after jarjar tasks are run. Although that looks doable, I notice that the jarjar github repo has been recently archived[4], so we might want to consider our other options in that space. This means (after we resolve the jarjar side of things) that if two folks on different operating systems and at different times build a distribution from the same tag, that they will get bit for bit the same artifacts. For now, the timestamps will be set to the Gradle default Jan 1980 value. Out of scope for now (but PRs welcome) will be: * adding support so that the timestamp can be specified (Maven has an option to do that[5]) <https://maven.apache.org/guides/mini/guide-reproducible-builds.html> * producing a ".buildinfo" file in the first instance as per [6] Cheers, Paul. [1] https://issues.apache.org/jira/browse/GROOVY-9628 [2] https://docs.gradle.org/6.5/userguide/working_with_files.html#sec:reproducible_archives [3] https://github.com/Johni0702/gradle-reproducible-builds-plugin [4] https://github.com/pantsbuild/jarjar [5] https://maven.apache.org/guides/mini/guide-reproducible-builds.html [6] https://reproducible-builds.org/docs/jvm/
