SlideShare une entreprise Scribd logo

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

H
Hervé Boutemy

Reproducible Builds

Logiciels
1  sur  35
for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
Reproducible Builds: what? why? how?
input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Gradle in Reproducible Central Need Help!
Reproducible Builds for sbt Need Help!
Quiz: to be or not to be Reproducible ?
#1 Reproducible or not? ?
#2 Reproducible or not? ?
#2 Reproducible or not? ?
?
#2 Reproducible or not?
#3 Reproducible or not? ?
#3 Reproducible or not?
#4 Reproducible or not? ? PLEASE use only LTS for release
#4 Reproducible or not? ? PLEASE use only LTS for release
What’s next?
for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
Merci

Recommandé

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 

Recommandé

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
tools cli java
tools cli javatools cli java
tools cli javaTiNguyn863920
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group CologneSoftware Entwicklung Beratung Schulung
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at ØredevMatthew McCullough
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & ToolsLuismi Amorós Martínez
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 

Contenu connexe

Similaire à CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 

Similaire à CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx (20)

Maven nutshell
Maven nutshellMaven nutshell
Maven nutshell
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
tools cli java
tools cli javatools cli java
tools cli java
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group Cologne
 
Java build tools
Java build toolsJava build tools
Java build tools
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package Manager
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - Maven
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with Django
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
 

Dernier

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....kzayra69
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)jennyeacort
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based projectAnoyGreter
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 

Dernier (20)

Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....What are the key points to focus on before starting to learn ETL Development....
What are the key points to focus on before starting to learn ETL Development....
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
Call Us🔝>༒+91-9711147426⇛Call In girls karol bagh (Delhi)
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
MYjobs Presentation Django-based project
MYjobs Presentation Django-based projectMYjobs Presentation Django-based project
MYjobs Presentation Django-based project
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

  • 1. for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
  • 2. About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
  • 3. Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
  • 5. input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 6. Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
  • 7. How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 8. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 9. Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11.
  • 13.
  • 14. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
  • 15. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
  • 16. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 17. Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
  • 18. Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 19. Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
  • 20. Gradle in Reproducible Central Need Help!
  • 21. Reproducible Builds for sbt Need Help!
  • 22. Quiz: to be or not to be Reproducible ?
  • 26. ?
  • 30. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 31. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 33. for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
  • 34. for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
  • 35. Merci

Notes de l'éditeur

  1. Reproducible Builds started with Linux distributions: this provided much experience and tools when starting applying Reproducible Builds principles to Java, Maven and Maven Central. Today, after 4 years of hard work, more than 1600 releases from 500 projects were proven reproducible: it works at large scale! It's time to share learnings and try to expand to other languages used at the Apache Software Foundation. 40 minutes