Skip to content

Make all generated archives reproducible #2204

New issue
New issue
Open
Open
Make all generated archives reproducible#2204
Labels
enhancementNew feature or request
@snazy

Description

@snazy
snazy
opened on Jul 29, 2025

To be able to validate a release artifact (jar, tarball, zip, etc) against the state of the source tree, the artifacts need to be generated in a reproducible way.

There are a few, totally build related differences as of today:

  1. jar files: META-INF/MANIFEST.MF have different attributes (fixed)
    • Apache-Polaris-Is-Release (depends on the -Prelease vs just -PjarWithGitinfo property)
    • Apache-Polaris-Build-Git-Describe (same as above)
    • Apache-Polaris-Build-Timestamp - could be changed to the Git commit timestamp using UTC
    • Apache-Polaris-Build-System - remove this one
    • Apache-Polaris-Build-Java-Version - remove this one
  2. jar files: META-INF/jandex.idx are reported to be different (fixed)
  3. jar files: mtime of META-INF/MANIFEST.MF and META-INF/jandex.idx vary (fixed)
  4. ..../quarkus/generated-bytecode.jar class files differ. Since Quarkus 3.28.2, the generated bytecode is often the same, but there is still no guarantee.
  5. varying order of entries in Quarkus re-assembled .../app/polaris-*.jar archives (Reproducible order of enties in app/<project-name>.jar quarkusio/quarkus#50578)
  6. "group write" POSIX permission varies between platforms for zip/tar archive entries (fixed via Reproducible builds: ensure unix permissions are reproducible #2819)
    With all mentioned issues addressed, it should be possible to build distribution artifacts that match binary, leading to the same sha512.
  7. source tarballs have entries with "current mtime". The source tarballs should use a fixed mtime (fixed via Reproducible builds: use a fixed mtime for all entries in the source tarball #2823)
  8. "Top level POM" is not reproducible, because the POM <developers> and <contributors> elements are dynamically populated at build time (fixed via Reproducible builds: make parent pom content reproducible #2826).
  9. Helm chart package tarball (generated via helm package) is not reproducible, helm package has no options to "fix" entries' mtime and POSIX attributes. See: Releasy: make Helm package reproducible (Releasy: make Helm package reproducible #3086)
  10. Source-tarball - eliminate git-gzip risk (via Source-tarball - eliminate git-gzip risk #3075)
  11. Build: Ensure reproducible .properties files (via Build: Ensure reproducible .properties files #3089)

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions