[HN Gopher] Three Pillars of Reproducible Builds
       ___________________________________________________________________
        
       Three Pillars of Reproducible Builds
        
       Author : spatten
       Score  : 33 points
       Date   : 2022-03-08 19:19 UTC (3 hours ago)
        
 (HTM) web link (fossa.com)
 (TXT) w3m dump (fossa.com)
        
       | jiehong wrote:
       | On the JVM, maven doesn't make this particularly easy.
       | 
       | It's possible to try to store dependencies locally instead of
       | shared in a global m2 repository, but it's difficult to stop
       | maven from adding the current time in jars or wars...
       | 
       | It's as if all the default settings are the opposite of what they
       | should be for reproducible builds.
       | 
       | Any idea if there is a project to try to improve things with
       | maven or with another JVM tool? (Grade, sbt, etc.)
        
         | mchmarny wrote:
         | If you have an option to containerize the app, Jib may be what
         | you are looking for. Plugs into Maven, and the same
         | source/content always generates the same image -
         | https://github.com/GoogleContainerTools/jib
        
           | donmcronald wrote:
           | And this is the best explanation of Jib [1], but it's hard to
           | find via Google. It's how all builds for every ecosystem
           | should work IMO.
           | 
           | 1. https://phauer.com/2019/no-fat-jar-in-docker-image/
        
       ___________________________________________________________________
       (page generated 2022-03-08 23:01 UTC)