depstar

Discussion around https://github.com/seancorfield/depstar
cap10morgan 2021-02-24T19:34:01.016500Z

Is there a way to set the timestamp of the built jar file w/ depstar? Along the lines of Maven's reproducible build support: https://maven.apache.org/guides/mini/guide-reproducible-builds.html

seancorfield 2021-02-24T19:37:39.017200Z

@cap10morgan Nope. Never had anyone request such a feature -- I've never even heard of such a feature.

seancorfield 2021-02-24T19:38:15.018100Z

Is it supposed to set the creation timestamp to be something other than the time the JAR file was created? Or something else?

cap10morgan 2021-02-24T19:39:48.019800Z

Yeah. Basically the idea is that if you build two different JARs w/ the same build commands against the same source code (on different machines, yadda yadda yadda), the hashes of the resulting JAR files will match. Not always important / necessary, but was looking into it for one of my projects.

cap10morgan 2021-02-24T19:40:41.020200Z

so maybe timestamps of the JAR contents more than the JAR file itself

seancorfield 2021-02-24T19:53:28.021200Z

I have a feeling that Clojure builds are inherently non-reproducible due to the "random" naming of anonymous functions during compilation? Or do they use a predictable hash value?

seancorfield 2021-02-24T19:57:26.024300Z

Currently, depstar preserves the timestamp inside the JAR of the original file that was added into the JAR -- but any "directories" created inside the JAR have the timestamp of the JAR file's creation. The former is important to preserve timestamps on source and class files so Clojure knows when it loads files from the JAR whether it needs to recompile the source or not -- i.e., is the class file newer or older than the source file -- so overriding that sounds problematic from a Clojure p.o.v. (although I guess giving everything the same timestamp is probably "safe"? Still sounds wrong to me tho', messing with timestamps).

seancorfield 2021-02-24T19:58:20.025200Z

I seem to recall there was some obstacle to setting the timestamp on the folder creation but I don't remember the details so I may be off...

seancorfield 2021-02-24T20:05:18.026Z

Hmm, I just ran a few uberjar tests and the names of anonymous functions look predictable for the same source code and dependencies...

cap10morgan 2021-02-24T20:42:08.026200Z

interesting

ghadi 2021-02-24T22:18:52.026700Z

there is some other non-determinism in compilation

ghadi 2021-02-24T22:20:10.028Z

This is something useful from taviso a star hacker on Google’s Project Zero

seancorfield 2021-02-24T22:29:35.028700Z

I will confess to rolling my eyes when I hear talk of "reproducible builds" so this piece makes me feel better about that knee-jerk reaction 🙂