SlideShare a Scribd company logo

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

H
Hervé Boutemy

Reproducible Builds

Software
1 of 35
for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
Reproducible Builds: what? why? how?
input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
Gradle in Reproducible Central Need Help!
Reproducible Builds for sbt Need Help!
Quiz: to be or not to be Reproducible ?
#1 Reproducible or not? ?
#2 Reproducible or not? ?
#2 Reproducible or not? ?
?
#2 Reproducible or not?
#3 Reproducible or not? ?
#3 Reproducible or not?
#4 Reproducible or not? ? PLEASE use only LTS for release
#4 Reproducible or not? ? PLEASE use only LTS for release
What’s next?
for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
Merci

Recommended

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 

Recommended

DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Maven
MavenMaven
MavenМарія Русин
 
Maven
MavenMaven
MavenFabio Bonfante
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Jbossworld Presentation
Jbossworld PresentationJbossworld Presentation
Jbossworld PresentationDan Hinojosa
 
Joget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow v6 Training Slides - 16 - Preparing Development Environment
Joget Workflow v6 Training Slides - 16 - Preparing Development EnvironmentJoget Workflow
 
Maven
MavenMaven
MavenShraddha
 
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...
Improved developer productivity thanks to Maven and OSGi - Lukasz Dywicki (Co...mfrancis
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
tools cli java
tools cli javatools cli java
tools cli javaTiNguyn863920
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group CologneSoftware Entwicklung Beratung Schulung
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at ØredevMatthew McCullough
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & ToolsLuismi Amorós Martínez
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 

More Related Content

Similar to CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven Ankit Gubrani
 
Java build tools
Java build toolsJava build tools
Java build toolsSujit Kumar
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using ShipkitMarcinStachniuk
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgMarcinStachniuk
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package ManagerDMC, Inc.
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenBert Koorengevel
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with DjangoRoger Barnes
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOTVMware Tanzu
 

Similar to CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx (20)

Maven nutshell
Maven nutshellMaven nutshell
Maven nutshell
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
tools cli java
tools cli javatools cli java
tools cli java
 
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
Joget Workflow v5 Training Slides - Module 16 - Preparing Development Environ...
 
Build Automation using Maven
Build Automation using Maven Build Automation using Maven
Build Automation using Maven
 
Java User Group Cologne
Java User Group CologneJava User Group Cologne
Java User Group Cologne
 
Java build tools
Java build toolsJava build tools
Java build tools
 
Maven 3.0 at Øredev
Maven 3.0 at ØredevMaven 3.0 at Øredev
Maven 3.0 at Øredev
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit[WroclawJUG] Continuous Delivery in OSS using Shipkit
[WroclawJUG] Continuous Delivery in OSS using Shipkit
 
Continuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.orgContinuous Delivery in OSS using Shipkit.org
Continuous Delivery in OSS using Shipkit.org
 
NI Package Manager
NI Package ManagerNI Package Manager
NI Package Manager
 
Ordina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - MavenOrdina Accelerator program 2019 - Maven
Ordina Accelerator program 2019 - Maven
 
Towards Continuous Deployment with Django
Towards Continuous Deployment with DjangoTowards Continuous Deployment with Django
Towards Continuous Deployment with Django
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
Spring Native and Spring AOT
Spring Native and Spring AOTSpring Native and Spring AOT
Spring Native and Spring AOT
 

Recently uploaded

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsJheuzeDellosa
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataBradBedford3
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEOrtus Solutions, Corp
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfkalichargn70th171
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...aditisharan08
 

Recently uploaded (20)

Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
What is Binary Language? Computer Number Systems
What is Binary Language? Computer Number SystemsWhat is Binary Language? Computer Number Systems
What is Binary Language? Computer Number Systems
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer DataAdobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
Adobe Marketo Engage Deep Dives: Using Webhooks to Transfer Data
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASEBATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
BATTLEFIELD ORM: TIPS, TACTICS AND STRATEGIES FOR CONQUERING YOUR DATABASE
 
The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdfThe Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
The Essentials of Digital Experience Monitoring_ A Comprehensive Guide.pdf
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Naraina Delhi 💯Call Us 🔝8264348440🔝
 
Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...Unit 1.1 Excite Part 1, class 9, cbse...
Unit 1.1 Excite Part 1, class 9, cbse...
 

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx

  • 1. for the JVM and beyond Hervé Boutemy Halifax, NS, 2023-10-10
  • 2. About Me ● Maven PMC Member, Attic PMC Chair ● ASF Member ● working on Software Supply Chain @ Sonatype ● SBOM: CycloneDX, SPDX ● signature: Sigstore ● Reproducible Builds for the JVM: ○ discovered in April 2016 (post-processing) ○ actively working since January 2019 (Maven built-in)
  • 3. Agenda ● Reproducible Builds ○ what? why? how? ● Reproducible Builds for the JVM ○ checking against Maven Central ○ configuring for Maven, Gradle, sbt ● Quiz: to be or not to be Reproducible ● What’s next?
  • 5. input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 6. Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● ASF policy: official source release vs convenience binaries ○ how do you audit binaries staged by release manager? “Just trust”?
  • 7. How? ● reproducible-build.org: 3. users should be given a way to recreate a close enough build environment, perform the build process, and validate that the output matches the original build. 2. the set of tools used to perform the build and more generally the build environment should either be recorded or pre-defined. 1. the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 8. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 9. Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11.
  • 13.
  • 14. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/
  • 15. What If a Difference is Found? 1. Where is the difference? 2. What is the difference? https://diffoscope.org/ 2. Why? How to Fix?
  • 16. Reproducible Builds for the JVM: 2. check binaries: Maven Central 1. configure build: Maven, Gradle, sbt
  • 17. Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 1. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
  • 18. Checking for Reproducible Builds 3. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare 2. during VOTE: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 19. Reproducible Builds for Gradle ● since Gradle 3.4 https://docs.gradle.org/current/userguide/working_with_files.html#sec:reproducible_archives
  • 20. Gradle in Reproducible Central Need Help!
  • 21. Reproducible Builds for sbt Need Help!
  • 22. Quiz: to be or not to be Reproducible ?
  • 26. ?
  • 30. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 31. #4 Reproducible or not? ? PLEASE use only LTS for release
  • 33. for the JVM… and Beyond… ● Maven: ○ make more Maven plugins produce Reproducible output ○ help more projects enable Reproducible Builds ● Gradle: ○ help more projects enable Reproducible Builds ○ improve Reproducible Central rebuilds for these ● sbt ● npm & npmjs ● pip & PyPI ● .NET & NuGet Gallery ● …
  • 34. for the ASF: please audit your binaries during VOTEs mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ it’s ok not to be RB perfect next time will be better
  • 35. Merci

Editor's Notes

  1. Reproducible Builds started with Linux distributions: this provided much experience and tools when starting applying Reproducible Builds principles to Java, Maven and Maven Central. Today, after 4 years of hard work, more than 1600 releases from 500 projects were proven reproducible: it works at large scale! It's time to share learnings and try to expand to other languages used at the Apache Software Foundation. 40 minutes