SlideShare a Scribd company logo
1 of 30
Download to read offline
with Apache Maven
Hervé Boutemy
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024
About Me: Hervé Boutemy
● Java, since 1.0-beta
● CI, DevOps
● Enterprise Architecture
● DevSecOps
● Solutions Architect
● Software Supply Chain
DEVOXX FRANCE 2024
● SBOM: CycloneDX
SPDX
● Reproducible Builds for the JVM:
○ discovered in Devoxx FR 2016 (post-processing)
○ actively working since January 2019 (Maven built-in)
● Maven PMC Member
● ASF Member
About Me: Hervé Boutemy
DEVOXX FRANCE 2024
agenda
/ AGENDA 1. Reproducible Builds
what? why? how?
2. Reproducible Builds with Maven
- rebuild and check binaries
- configure your Maven build
3. Quiz
to be or not to be (Reproducible)
Reproducible Builds
1.
Principles
/ what? why? how?
DEVOXX FRANCE 2024
input source code
builder
output binaries
rebuilder
same output binaries (bit for bit)
a set of software development practices
that create an independently-verifiable
path from source to binary code
https://reproducible-builds.org/ (since 2013)
reference
reference
DEVOXX FRANCE 2024
Why does it matter?
● reproducible-builds.org:
“allow verification that no vulnerabilities or backdoors have been introduced during the compilation
process”
● my own return on experience
○ you have the source code of an OSS project, but are you really able to rebuild?
■ is it the real Git commit? is “Build successful” message sufficient?
○ are you sure nothing from your build environment leaked into output binaries?
■ found username, hostname, path to current directory, private key passphrase, …
○ permits build efficiency from build cache
● When you outsource a new development
○ “of course”, in addition to binaires, they deliver source code + build instructions…
○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
DEVOXX FRANCE 2024
How?
● reproducible-build.org:
3. objective: rebuild and validate that the output matches the original build.
2. requirement: the build environment should either be recorded or pre-defined = build specification.
1. prerequisite: the build system needs to be made entirely deterministic.
For example, the current date and time must not be recorded and output always has to be written in
the same order.
Reproducible Builds for Maven
2.
Practice
/ 2. rebuild and check binaries
/ 1. configure Maven build
DEVOXX FRANCE 2024
Reproducible Central (started 03-2020)
https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024
Reproducible Central
https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024
What If a Difference is Found?
1. Where is the difference?
2.
2. What is the difference? https://diffoscope.org/
DEVOXX FRANCE 2024
What If a Difference is Found?
1. Where is the difference?
2.
2. What is the difference? https://diffoscope.org/
3. Why? How to Fix?
Reproducible Builds for Maven
2.
Practice
/ 2. rebuild and check binaries
/ 1. configure Maven build
DEVOXX FRANCE 2024
Reproducible Builds for Maven (since 03-2020)
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
1. Enable Reproducible Builds:
2. Check plugins known to require upgrade: mvn artifact:check-buildplan
= https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html
(necessary updates, but perhaps not sufficient…)
DEVOXX FRANCE 2024
Manual Checking for Reproducible Builds
2. after release pushed to Maven Central:
mvn -Papache-release -Dgpg.skip clean verify artifact:compare
or during release candidate review, or if release published somewhere else:
mvn -Papache-release -Dgpg.skip clean verify artifact:compare
-Dreference.repo=https://repository.apache.org/content/repositories/staging/
1. during SNAPSHOT development:
Check locally if you get the same result twice
mvn clean install
mvn clean verify artifact:compare
ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment
impact
Quizz
warmup
/ to be or not to be (Reproducible)
?
DEVOXX FRANCE 2024
#1 Reproducible or not?
?
?
DEVOXX FRANCE 2024
#2 Reproducible or not?
?
DEVOXX FRANCE 2024
#2 Reproducible or not?
?
DEVOXX FRANCE 2024
?
DEVOXX FRANCE 2024
#2 Reproducible or not?
DEVOXX FRANCE 2024
#3 Reproducible or not?
?
DEVOXX FRANCE 2024
#3 Reproducible or not?
Conclusion
summary
DEVOXX FRANCE 2024
1. Enable Reproducible Builds: artifact:check-buildplan
2. Audit your Binaries: artifact:compare
3. Look at issues: diffoscope
4. Fix what brings additional value
3. Audit and report at scale: copy reproducible-central and adapt to your local repository
./rebuild.sh <path/to/...>/<project>-<version>.buildspec
With Maven: Just do It!
DEVOXX FRANCE 2024
THANKS
FOR WATCHING
Diversity in Community is Great
not in Binary Code

More Related Content

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven

Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
Carlos Ramirez Martinez-Eiroa
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docx
moirarandell
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management tool
Renato Primavera
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
Kalkey
 

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven (20)

DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introduction
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docx
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
 
Maven
MavenMaven
Maven
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management tool
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overview
 
Build server
Build serverBuild server
Build server
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps Extensions
 
Vagrant
VagrantVagrant
Vagrant
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 

Recently uploaded

Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
UK Journal
 

Recently uploaded (20)

WebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM PerformanceWebAssembly is Key to Better LLM Performance
WebAssembly is Key to Better LLM Performance
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
Overview of Hyperledger Foundation
Overview of Hyperledger FoundationOverview of Hyperledger Foundation
Overview of Hyperledger Foundation
 
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT
 
Your enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4jYour enemies use GenAI too - staying ahead of fraud with Neo4j
Your enemies use GenAI too - staying ahead of fraud with Neo4j
 
Using IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & IrelandUsing IESVE for Room Loads Analysis - UK & Ireland
Using IESVE for Room Loads Analysis - UK & Ireland
 
Portal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russePortal Kombat : extension du réseau de propagande russe
Portal Kombat : extension du réseau de propagande russe
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101AI presentation and introduction - Retrieval Augmented Generation RAG 101
AI presentation and introduction - Retrieval Augmented Generation RAG 101
 
Working together SRE & Platform Engineering
Working together SRE & Platform EngineeringWorking together SRE & Platform Engineering
Working together SRE & Platform Engineering
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
ECS 2024 Teams Premium - Pretty Secure
ECS 2024   Teams Premium - Pretty SecureECS 2024   Teams Premium - Pretty Secure
ECS 2024 Teams Premium - Pretty Secure
 
Designing for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at ComcastDesigning for Hardware Accessibility at Comcast
Designing for Hardware Accessibility at Comcast
 
Microsoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - QuestionnaireMicrosoft CSP Briefing Pre-Engagement - Questionnaire
Microsoft CSP Briefing Pre-Engagement - Questionnaire
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdfBreaking Down the Flutterwave Scandal What You Need to Know.pdf
Breaking Down the Flutterwave Scandal What You Need to Know.pdf
 
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
FDO for Camera, Sensor and Networking Device – Commercial Solutions from VinC...
 
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptxBT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
BT & Neo4j _ How Knowledge Graphs help BT deliver Digital Transformation.pptx
 

DevoxxFR 2024 Reproducible Builds with Apache Maven

  • 1. with Apache Maven Hervé Boutemy DEVOXX FRANCE 2024
  • 2. DEVOXX FRANCE 2024 About Me: Hervé Boutemy ● Java, since 1.0-beta ● CI, DevOps ● Enterprise Architecture ● DevSecOps ● Solutions Architect ● Software Supply Chain
  • 3. DEVOXX FRANCE 2024 ● SBOM: CycloneDX SPDX ● Reproducible Builds for the JVM: ○ discovered in Devoxx FR 2016 (post-processing) ○ actively working since January 2019 (Maven built-in) ● Maven PMC Member ● ASF Member About Me: Hervé Boutemy
  • 4. DEVOXX FRANCE 2024 agenda / AGENDA 1. Reproducible Builds what? why? how? 2. Reproducible Builds with Maven - rebuild and check binaries - configure your Maven build 3. Quiz to be or not to be (Reproducible)
  • 6. DEVOXX FRANCE 2024 input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 7. DEVOXX FRANCE 2024 Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source code of an OSS project, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● When you outsource a new development ○ “of course”, in addition to binaires, they deliver source code + build instructions… ○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
  • 8. DEVOXX FRANCE 2024 How? ● reproducible-build.org: 3. objective: rebuild and validate that the output matches the original build. 2. requirement: the build environment should either be recorded or pre-defined = build specification. 1. prerequisite: the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 9. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 10. DEVOXX FRANCE 2024 Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11. DEVOXX FRANCE 2024 Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
  • 13. DEVOXX FRANCE 2024 ./rebuild.sh <path/to/...>/<project>-<version>.buildspec
  • 15. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/
  • 16. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/ 3. Why? How to Fix?
  • 17. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 18. DEVOXX FRANCE 2024 Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 2. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html (necessary updates, but perhaps not sufficient…)
  • 19. DEVOXX FRANCE 2024 Manual Checking for Reproducible Builds 2. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare or during release candidate review, or if release published somewhere else: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 20. Quizz warmup / to be or not to be (Reproducible) ?
  • 21. DEVOXX FRANCE 2024 #1 Reproducible or not? ? ?
  • 22. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 23. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 25. DEVOXX FRANCE 2024 #2 Reproducible or not?
  • 26. DEVOXX FRANCE 2024 #3 Reproducible or not? ?
  • 27. DEVOXX FRANCE 2024 #3 Reproducible or not?
  • 29. DEVOXX FRANCE 2024 1. Enable Reproducible Builds: artifact:check-buildplan 2. Audit your Binaries: artifact:compare 3. Look at issues: diffoscope 4. Fix what brings additional value 3. Audit and report at scale: copy reproducible-central and adapt to your local repository ./rebuild.sh <path/to/...>/<project>-<version>.buildspec With Maven: Just do It!
  • 30. DEVOXX FRANCE 2024 THANKS FOR WATCHING Diversity in Community is Great not in Binary Code