Hi all, We've got a lot of work around reproducible builds - whatever we think about it since there are good reasons to say it is pointless and some to say it is useful so I don't want to enter into the debate - but the notion is 100% hosted in plugins today. It has a few pitfalls for me:
1. plugins assume the (output) timestamp is static for a build and rebuild 2. projects often need a build timestamp related to last modifications (frontends, jar.lastModifiedTime usage, ...) Both statements don't go well with a hardcoded value - manually maintained....so not maintained and broken IRL. A workaround used by some projects is to wire the git last commit time - or equivalent - to this value but then a plugin injects the value which means another plugin can read another value or no value and corrupt the reproducibility of the build. Related to that, the work around the PR #30 on maven-artifact-plugin shows that if using a dynamic value the artifact plugin fails or at least emits a warning - which is not acceptable for a valid case IMHO. Originally I just thought about relaxing this warning but Hervé thinks it is wrong and due to the limitations mentionned earlier I think he is right too but this means we can't let a plugin handle the "output timestamp" so I wonder if we should move it to the new maven 4 service layer. The only difficulty is to let it have some pluggability, default would be a hardcoded value in properties but we should be able to use git last commit time - likely reading pack without jgit dependency - or another strategy potentially (ideally, as pointed out by Hervé, a different value per module would be highly relevant and could need some configuration, the common example being: "use the last modified time from git of files in src", ie ignore pom modifications since it does not end in the output for example). So my question is the following one: do we add output timestamp to maven 4 API and let maven 3 like that or do we consider reproducible builds are not a key thing for maven and we let it in plugins (~=outside and artifact plugin is considered not a core plugin - not sure of the status today)? I'm happy both ways but I'm way less happy with a broken setup if we consider it is supported by maven. Romain Manni-Bucau @rmannibucau <https://twitter.com/rmannibucau> | Blog <https://rmannibucau.metawerx.net/> | Old Blog <http://rmannibucau.wordpress.com> | Github <https://github.com/rmannibucau> | LinkedIn <https://www.linkedin.com/in/rmannibucau> | Book <https://www.packtpub.com/application-development/java-ee-8-high-performance>
