Update maven build, bazel build, and target platform.
Also remove a file in a ./bin directory that got committed by mistake
in commit f5f4bf0ad.
Change-Id: Ia653c71643f8fad290874d723dacdafbef25c13f
Signed-off-by: Thomas Wolf <twolf@apache.org>
- configure Maven to run build reproducibly [1]
- use UTC timestamp of checked out commit as build timestamp
- add git-describe, git-commit-id, git-commit-id, git-tags,
git-remote-origin-url to MANIFEST.MF files
- configure cyclonedx-maven-plugin to also use UTC timestamp of
checked out commit
- for packaging build use tycho-buildtimestamp-jgit [2] to ensure
version uses the timestamp of the last commit
- SBOMs are not reproducible by design [3] they should have a build
timestamp matching the time when the build was executed and a serial
number which is a unique UUID per build run. Hence exclude them from
comparison [4].
- Use gmavenplus-plugin to format build timestamps. Maven expects
build timestamp in ISO-8601 format, to replace the qualifier in
versions the timestamp format must be compatible with rules for OSGi
version numbers. Didn't find a way to read the properties set by the
git-commit-id-maven-plugin from another plugin. Hence use JGit in a
groovy script to get the commit time of the current HEAD and provide
it in these two formats.
TODO: packaging build (features and p2 repository) is not yet binary
reproducible since that's not yet supported by Tycho [5], artefacts have
reproducible version numbers but file lastModified timestamps are not
yet reproducible.
Test plan for Maven build:
- build using
mvn clean install"
- verify second build is reproducible:
mvn -T1 clean verify artifact:compare
verification seems not to be thread-safe, hence run it with a single
thread using option -T1
For packaging build (still fails due to non-reproducible file
timestamps):
- build using
mvn -f org.eclipse.jgit.packaging/pom.xml clean install
- verify second build is reproducible:
mvn -T1 -f org.eclipse.jgit.packaging/pom.xml clean verify artifact:compare
[1] https://maven.apache.org/guides/mini/guide-reproducible-builds.html
[2] https://wiki.eclipse.org/Tycho/Reproducible_Version_Qualifiers
[3] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/84
[4] https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html
[5] https://github.com/eclipse-tycho/tycho/issues/233
Change-Id: I0202f55a1b6ae0edd922cfef638beb39d2ce9417
consuming it directly from Maven Central.
The bundle net.i2p.crypto.eddsa 0.3.0 contains bad OSGi metadata,
earlier it was repackaged in Orbit tweaking its mandatory dependency to
sun.security.x509 to an optional dependency.
This project seems to be orphaned, probably because Java 15 added
support for eddsa with JEP339 [1].
This repackaged bundle is no longer available after Orbit was renovated
[2] to consume the vast majority of bundles directly from Maven Central
without repacking them. Hence we have to workaround this (probably
false) mandatory dependency. For that export an empty dummy package
"sun.security.x509" to satisfy OSGi.
[1] https://openjdk.org/jeps/339
[2] https://github.com/eclipse-orbit/orbit-simrel/issues/15
Change-Id: I2267e15823ebce6cf1d448e1e16a129f703e0f80
The jgit p2 repo should contain all 3rd party dependencies needed at
runtime but not dependencies only used in tests.
- remove assertj-core since it's only used in tests
- add org.eclipse.osgi and org.osgi.service.cm which are runtime
dependencies
Change-Id: Ie789cb8feab0905e7e23aae1d5378e82a0088992
Switch to bundle dependencies for hamcrest 1.3 to avoid issues with
split packages in that version.
Don't allow hamcrest 2.x yet since junit 4.13.2 still requires hamcrest
1.3.
See Orbit restructuring in
https://github.com/orgs/eclipse-orbit/discussions/49
Change-Id: I8faf519b8f2c4e4a6bd255d694d1aa28017acd85
* stable-6.6:
Update to Tycho 4.0.1
Add verification in GcKeepFilesTest that bitmaps are generated
Express the explicit intention of creating bitmaps in GC
GC: prune all packfiles after the loosen phase
Prepare 5.13.3-SNAPSHOT builds
JGit v5.13.2.202306221912-r
Change-Id: I7294c21748897eb3f94eeffbda944b62e3206c0d
Tycho 4.0.0-SNAPSHOT is no longer available and it's a bad practice to
depend on any snapshot version (we had to since this was the only way
to get gpg signing to work in time for releasing 6.6.0).
Change-Id: I1d4af5f69965b4cad50b379fd81f6f442b38c8d0
Now that it is released there is no need anymore to use a snapshot
version.
Change-Id: Idd35c48022370abf18049ef4b6ddd6253613888e
Signed-off-by: Thomas Wolf <twolf@apache.org>
Matthias Sohn