SlideShare a Scribd company logo

DevoxxFR 2024 Reproducible Builds with Apache Maven

H
Hervé Boutemy

Les Builds Reproductibles sont préconisés pour le niveau 4 de SLSA, pour atteindre le plus haut niveau de confiance sur un logiciel. Un tel niveau semble totalement inaccessible pour un projet normal. En réalité, la plupart des distributions Linux ont implémenté les Builds Reproductibles ces 10 dernières années. Et depuis 5 ans, cela a été appliqué à de nombreux projets Open Source Java avec succès : plus de 2000 releases vérifiées reproductibles ont été publiées sur Maven Central par 500 projets, et ces chiffres ne cessent de croître. Dans cette session, nous démistyfierons les pratiques pour les Builds Reproductibles telles qu'elles ont été éprouvées et améliorées sur le terrain. Nous expliquerons les outils utiles pour améliorer vos builds Maven et vérifier qu'ils sont réellement reproductibles : vous verrez, ce travail est riche d'enseignements utiles bien au delà de la sécurité. Attention: si vous dormez pendant la session, vous aurez une sale note au quizz final permettant de vérifier les compétences acquises...

Technology
1 of 30
Download to read offline
with Apache Maven Hervé Boutemy DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 About Me: Hervé Boutemy ● Java, since 1.0-beta ● CI, DevOps ● Enterprise Architecture ● DevSecOps ● Solutions Architect ● Software Supply Chain
DEVOXX FRANCE 2024 ● SBOM: CycloneDX SPDX ● Reproducible Builds for the JVM: ○ discovered in Devoxx FR 2016 (post-processing) ○ actively working since January 2019 (Maven built-in) ● Maven PMC Member ● ASF Member About Me: Hervé Boutemy
DEVOXX FRANCE 2024 agenda / AGENDA 1. Reproducible Builds what? why? how? 2. Reproducible Builds with Maven - rebuild and check binaries - configure your Maven build 3. Quiz to be or not to be (Reproducible)
Reproducible Builds 1. Principles / what? why? how?
DEVOXX FRANCE 2024 input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
DEVOXX FRANCE 2024 Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source code of an OSS project, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● When you outsource a new development ○ “of course”, in addition to binaires, they deliver source code + build instructions… ○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
DEVOXX FRANCE 2024 How? ● reproducible-build.org: 3. objective: rebuild and validate that the output matches the original build. 2. requirement: the build environment should either be recorded or pre-defined = build specification. 1. prerequisite: the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
DEVOXX FRANCE 2024 Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024 Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 ./rebuild.sh <path/to/...>/<project>-<version>.buildspec
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/
DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/ 3. Why? How to Fix?
Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
DEVOXX FRANCE 2024 Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 2. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html (necessary updates, but perhaps not sufficient…)
DEVOXX FRANCE 2024 Manual Checking for Reproducible Builds 2. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare or during release candidate review, or if release published somewhere else: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Quizz warmup / to be or not to be (Reproducible) ?
DEVOXX FRANCE 2024 #1 Reproducible or not? ? ?
DEVOXX FRANCE 2024 #2 Reproducible or not? ?
DEVOXX FRANCE 2024 #2 Reproducible or not? ?
DEVOXX FRANCE 2024 ?
DEVOXX FRANCE 2024 #2 Reproducible or not?
DEVOXX FRANCE 2024 #3 Reproducible or not? ?
DEVOXX FRANCE 2024 #3 Reproducible or not?
Conclusion summary
DEVOXX FRANCE 2024 1. Enable Reproducible Builds: artifact:check-buildplan 2. Audit your Binaries: artifact:compare 3. Look at issues: diffoscope 4. Fix what brings additional value 3. Audit and report at scale: copy reproducible-central and adapt to your local repository ./rebuild.sh <path/to/...>/<project>-<version>.buildspec With Maven: Just do It!
DEVOXX FRANCE 2024 THANKS FOR WATCHING Diversity in Community is Great not in Binary Code

Recommended

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxCoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxHervé Boutemy
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkarunkumar sadhasivam
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandCI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandTroublemaker Khunpech
 
BMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenBMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenMert Çalışkan
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of MavenJustin J. Moses
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...ansonjonel
 

Recommended

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxCoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxHervé Boutemy
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkarunkumar sadhasivam
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandCI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandTroublemaker Khunpech
 
BMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenBMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenMert Çalışkan
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of MavenJustin J. Moses
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...ansonjonel
 
DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introductionJoel W. King
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & ToolsLuismi Amorós Martínez
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxmoirarandell
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...Nuxeo
 
Maven
MavenMaven
MavenShraddha
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management toolRenato Primavera
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overviewLuciano Resende
 
Build server
Build serverBuild server
Build serverChristophe Vanlancker
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzSteve Hoffman
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdfAbid Malik
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps ExtensionsChristian Waha
 
Vagrant
VagrantVagrant
VagrantBenoit Borrel
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 

More Related Content

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven

DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introductionJoel W. King
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxmoirarandell
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...Nuxeo
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management toolRenato Primavera
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overviewLuciano Resende
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzSteve Hoffman
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdfAbid Malik
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps ExtensionsChristian Waha
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven (20)

DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introduction
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docx
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
 
Maven
MavenMaven
Maven
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management tool
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overview
 
Build server
Build serverBuild server
Build server
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps Extensions
 
Vagrant
VagrantVagrant
Vagrant
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 

Recently uploaded

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

DevoxxFR 2024 Reproducible Builds with Apache Maven

  • 1. with Apache Maven Hervé Boutemy DEVOXX FRANCE 2024
  • 2. DEVOXX FRANCE 2024 About Me: Hervé Boutemy ● Java, since 1.0-beta ● CI, DevOps ● Enterprise Architecture ● DevSecOps ● Solutions Architect ● Software Supply Chain
  • 3. DEVOXX FRANCE 2024 ● SBOM: CycloneDX SPDX ● Reproducible Builds for the JVM: ○ discovered in Devoxx FR 2016 (post-processing) ○ actively working since January 2019 (Maven built-in) ● Maven PMC Member ● ASF Member About Me: Hervé Boutemy
  • 4. DEVOXX FRANCE 2024 agenda / AGENDA 1. Reproducible Builds what? why? how? 2. Reproducible Builds with Maven - rebuild and check binaries - configure your Maven build 3. Quiz to be or not to be (Reproducible)
  • 6. DEVOXX FRANCE 2024 input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 7. DEVOXX FRANCE 2024 Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source code of an OSS project, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● When you outsource a new development ○ “of course”, in addition to binaires, they deliver source code + build instructions… ○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
  • 8. DEVOXX FRANCE 2024 How? ● reproducible-build.org: 3. objective: rebuild and validate that the output matches the original build. 2. requirement: the build environment should either be recorded or pre-defined = build specification. 1. prerequisite: the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 9. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 10. DEVOXX FRANCE 2024 Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11. DEVOXX FRANCE 2024 Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
  • 13. DEVOXX FRANCE 2024 ./rebuild.sh <path/to/...>/<project>-<version>.buildspec
  • 15. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/
  • 16. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/ 3. Why? How to Fix?
  • 17. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 18. DEVOXX FRANCE 2024 Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 2. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html (necessary updates, but perhaps not sufficient…)
  • 19. DEVOXX FRANCE 2024 Manual Checking for Reproducible Builds 2. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare or during release candidate review, or if release published somewhere else: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 20. Quizz warmup / to be or not to be (Reproducible) ?
  • 21. DEVOXX FRANCE 2024 #1 Reproducible or not? ? ?
  • 22. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 23. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 25. DEVOXX FRANCE 2024 #2 Reproducible or not?
  • 26. DEVOXX FRANCE 2024 #3 Reproducible or not? ?
  • 27. DEVOXX FRANCE 2024 #3 Reproducible or not?
  • 29. DEVOXX FRANCE 2024 1. Enable Reproducible Builds: artifact:check-buildplan 2. Audit your Binaries: artifact:compare 3. Look at issues: diffoscope 4. Fix what brings additional value 3. Audit and report at scale: copy reproducible-central and adapt to your local repository ./rebuild.sh <path/to/...>/<project>-<version>.buildspec With Maven: Just do It!
  • 30. DEVOXX FRANCE 2024 THANKS FOR WATCHING Diversity in Community is Great not in Binary Code