Configuring for Reproducible Builds

What is Reproducible Builds?

Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code: a build is reproducible if given the same source code, build environment and build instructions, any party can recreate bit-by-bit identical copies of all specified artifacts.

How to configure my Maven build?

There is no Maven version prerequisite, everything happens at plugins level:

  1. upgrade your plugins to reproducible version, particularly maven-source-plugin, maven-jar-plugin and maven-assembly-plugin to version 3.2.0 minimum,
  2. add project.build.outputTimestamp property with the timestamp value that will be used in zip/jar/tar archives:
       <properties>
         <project.build.outputTimestamp>2019-10-02T08:04:00Z</project.build.outputTimestamp>
       </properties>

You have the basis configured, the output should be reproducible now.

If something is still not reproducible:

  1. use diffoscope to find the unstable output,
  2. find the plugin that generated this output
  3. check if there is a reproducible version available: if not, please open an issue to help plugin maintainers improving Reproducible Builds support at every plugin level.

Notice: Reproducible Builds for Maven:

  • require to have no version ranges in dependencies,
  • generally give different result on Windows vs Unixes because of newline (CRLF on Windows, LF on Unixes),
  • and generally depend on the major version of JDK used to compile (even with source/target defined, each major JDK version changes generated bytecode)

For detailed explanations, see Maven "Reproducible/Verifiable Builds" Wiki page.

FAQ

  • Q. can project.build.outputTimestamp property be updated automatically at release time?

    A. this should be available in a future maven-release-plugin version: see MRELEASE-1029