FS#73085 - Maven package 3.8.3 is apparently altered
Attached to Project:
Community Packages
Opened by Odne Hellebø (plitter) - Saturday, 18 December 2021, 22:28 GMT
Last edited by Levente Polyak (anthraxx) - Sunday, 19 December 2021, 18:32 GMT
Opened by Odne Hellebø (plitter) - Saturday, 18 December 2021, 22:28 GMT
Last edited by Levente Polyak (anthraxx) - Sunday, 19 December 2021, 18:32 GMT
|
Details
Description:
According to Michael Osipov the version is not correct https://issues.apache.org/jira/browse/MNG-7358?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel&focusedCommentId=17461961#comment-17461961 Additional info: $ mvn --version Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true Apache Maven 3.8.3 (NON_CANONICAL) Maven home: /opt/maven Java version: 1.8.0_292, vendor: Oracle Corporation, runtime: /usr/lib/jvm/java-8-openjdk/jre Default locale: en_GB, platform encoding: UTF-8 OS name: "linux", version: "5.15.10-arch1-1", arch: "amd64", family: "unix" * package version(s) * config and/or log files etc. * link to upstream bug report, if any Steps to reproduce: |
This task depends upon
Closed by Levente Polyak (anthraxx)
Sunday, 19 December 2021, 18:32 GMT
Reason for closing: Fixed
Additional comments about closing: 3.8.4-1
Sunday, 19 December 2021, 18:32 GMT
Reason for closing: Fixed
Additional comments about closing: 3.8.4-1
$ mvn --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Apache Maven 3.8.3 (82fa288cd4d98612c4240ab9774cb76c68f7ee2d)
Maven home: /opt/maven
Java version: 1.8.0_292, vendor: Oracle Corporation, runtime: /usr/lib/jvm/java-8-openjdk/jre
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "5.15.10-arch1-1", arch: "amd64", family: "unix"
So not sure where the NON_CANONICAL comes from. Michael Osipov mentions in the apache thread that they are giving the binaries, so maybe we don't need to be building the package at all?
Anyway. How do you build that package that results in that difference?
You need to use a clean chroot -- can you try with using extra-x86_64-build build tool from devtools? Just calling those instructions in a git clone is not the same :)
$ mvn --version
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
Apache Maven 3.8.3 (NON_CANONICAL)
Maven home: /opt/maven
Java version: 1.8.0_292, vendor: Oracle Corporation, runtime: /usr/lib/jvm/java-8-openjdk/jre
Default locale: en_GB, platform encoding: UTF-8
OS name: "linux", version: "5.15.10-arch1-1", arch: "amd64", family: "unix"
So I have no idea, why NON_CANONICAL comes then...
What is the rationale for not distributing binary prebuilds? Do you guys read through the code and verify that it is secure before building?
[1] https://github.com/apache/maven/blob/maven-3.8.3/maven-core/pom.xml#L223
You can see in the PKGBUILD we literally do 0 modifications and simply call mvn package, if the results doesn't work as expected then its more upstream to blame as innocent downstream that try to build from source without having heavy custom patches going on.
@loqs: Yes but OP claims different results without clean chroot. I tried with having git etc available during build but that doesn't seem to make a difference.
Make our packaged version 100% canonical but built from source by leveraging reproducible builds implications.
We use the upstream build number to build our version from source and check the resulting tarball against the official hashes. We literally reproduce the upstream binary dist bit by bit. This has multiple nice side
effects, most importantly we can dist a 100% canonical version that is bit by bit the same and therefor supported but still do not require to blindly repackage prebuilt artifacts.
This is literally the beauty of reproducible builds at play. We do not know who tries to reproduce their binary dists and we may not have any trust in their rebuilders (if there are any). We just want to produce artifacts ourselves from plain readable source that people can easier review and audit. However, upstream would like to ensure users are using something that works exactly the way they want it without margin of distro packaging. We get both at the same time now by comparing our tarball against the upstream tarball including the provided sha512 sums. This way we have a version that is canonical as it bit by bit matches their prebuilt files but still were not forced to trust their prebuilt packages by producing them ourselves from source.
Reproducible builds is love.