[arch-commits] Commit in maven/trunk (PKGBUILD)

Levente Polyak anthraxx at gemini.archlinux.org
Sun Dec 19 18:22:31 UTC 2021 

    Date: Sunday, December 19, 2021 @ 18:22:30
  Author: anthraxx
Revision: 1079077

upgpkg: maven 3.8.4-1: fully bit identical canonical packaging

Make our packaged version 100% canonical but built from source by
leveraging reproducible builds implications.

We use the upstream build number to build our version from source and check the
resulting tarball against the official hashes. We literally reproduce the
upstream binary dist bit by bit. This has multiple nice side effects, most
importantly we can dist a 100% canonical version that is bit by bit the same
and therefor supported but still do not require to blindly repackage prebuilt
artifacts.

Modified:
  maven/trunk/PKGBUILD

----------+
 PKGBUILD |   52 ++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 12 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2021-12-19 18:04:17 UTC (rev 1079076)
+++ PKGBUILD	2021-12-19 18:22:30 UTC (rev 1079077)
@@ -3,7 +3,7 @@
 # Contributor: William Rea <sillywilly at gmail.com>
 
 pkgname=maven
-pkgver=3.8.3
+pkgver=3.8.4
 pkgrel=1
 pkgdesc='Java project management and project comprehension tool'
 url='https://maven.apache.org'
@@ -12,8 +12,11 @@
 depends=('java-environment>=7' 'bash' 'procps-ng')
 makedepends=('maven' 'java-environment=8')
 backup=('opt/maven/conf/settings.xml')
-source=(https://www-eu.apache.org/dist/maven/maven-3/${pkgver}/source/apache-maven-${pkgver}-src.tar.gz{,.asc}
+source=(https://downloads.apache.org/maven/maven-3/${pkgver}/source/apache-maven-${pkgver}-src.tar.gz{,.asc}
+        # both bin artifacts are only used for reproducible builds from source
+        https://downloads.apache.org/maven/maven-3/${pkgver}/binaries/apache-maven-${pkgver}-bin.tar.gz{,.asc,.sha512}
         maven.sh)
+noextract=(apache-maven-${pkgver}-bin.tar.gz)
 # https://www.apache.org/dist/maven/KEYS
 validpgpkeys=(
   '042B29E928995B9DB963C636C7CA19B7B620D787' # StephenConnolly<stephenc at apache.org>
@@ -22,33 +25,58 @@
   'B02137D875D833D9B23392ECAE5A7FB608A0221C' # Robert Scholte <rfscholte at apache.org>
   '6A814B1F869C2BBEAB7CB7271A2A1C94BDE89688' # Michael Osipov (Java developer) <1983-01-06 at gmx.net>
 )
-sha256sums=('c58ea18cee78d678af33b4080b083a104ab80919e4bb57468109338e0bbad19f'
+sha256sums=('298bfb6172c134655f4f5608342f9c7bc798918ac165b8ded4af800be184ab9b'
             'SKIP'
+            '2cdc9c519427bb20fdc25bef5a9063b790e4abd930e7b14b4e9f4863d6f9f13c'
+            'SKIP'
+            'e3b1b816da14173abf0141e22ced80239b57fe81889e230529fec02a88dc55c4'
             '17d9b8efa6a922907110026273443bcc8d83e061e14ac82cb5052b483acc9b76')
 
+_buildnumber() {
+  # use same build number as the binary dist but prove that our source build is
+  # identical and therefor canonical in the build() step
+  bsdtar xOf <(bsdtar xOf "${srcdir}/apache-maven-${pkgver}-bin.tar.gz" apache-maven-${pkgver}/lib/maven-core-${pkgver}.jar) \
+    org/apache/maven/messages/build.properties | grep buildNumber | cut -d= -f2 | tr -cd '[:print:]'
+}
+
 build() {
   cd apache-maven-${pkgver}
 
   export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}"
   mvn package \
+    -DbuildNumber="$(_buildnumber)" \
+    -Dline.separator=$'\r\n' \
+    -Dproject.build.sourceEncoding=UTF-8 -e \
     -Dmaven.repo.local="${srcdir}/repo" \
-    -Dproject.build.sourceEncoding=UTF-8 -e
+    -DskipTests
+
+  # check reproducible builds result against upstream hashes. This way we can
+  # prove that our source build is identical and therefor canonical so we are
+  # technically free to use the static build number in our build env. On top we
+  # ensure bit by bit identical upstream signed binary dist against our variant
+  # via diff exiting non-successful on mismatch.
+  sha512sum -c <(printf "$(cat ${srcdir}/apache-maven-${pkgver}-bin.tar.gz.sha512) apache-maven/target/apache-maven-${pkgver}-bin.tar.gz")
+  diff "${srcdir}/apache-maven-${pkgver}-bin.tar.gz" apache-maven/target/apache-maven-${pkgver}-bin.tar.gz
 }
 
+check() {
+  cd apache-maven-${pkgver}
+
+  export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}"
+  mvn test \
+    -Dmaven.repo.local="${srcdir}/repo"
+}
+
 package() {
   cd apache-maven-${pkgver}
 
   install -Dm 755 ../maven.sh -t "${pkgdir}/etc/profile.d"
+
   install -d "${pkgdir}/opt/maven"
+  bsdtar xf apache-maven/target/apache-maven-${pkgver}-bin.tar.gz \
+    --strip-components=1 \
+    -C "${pkgdir}/opt/maven"
 
-  # skip tests as they were already executed
-  export PATH="/usr/lib/jvm/java-8-openjdk/bin:${PATH}"
-  mvn install \
-    -Dmaven.repo.local="${srcdir}/repo" \
-    -Dproject.build.sourceEncoding=UTF-8 -e \
-    -DdistributionTargetDir="${pkgdir}/opt/maven" \
-    -DskipTests -Dmaven.test.skip=true
-
   install -d "${pkgdir}/usr/bin"
   ln -s /opt/maven/bin/mvn "${pkgdir}/usr/bin/mvn"
   ln -s /opt/maven/bin/mvnDebug "${pkgdir}/usr/bin/mvnDebug"

More information about the arch-commits mailing list