Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add configureReproducible( Date lastModifiedDate ) API #121

Closed
wants to merge 6 commits into from

Conversation

hboutemy
Copy link
Member

@hboutemy hboutemy commented Sep 8, 2019

code extracted from POC done in Maven Source Plugin MSOURCES-120
now need to test it from Maven Assembly Plugin to see how the proposed API matches more advanced use cases (other formats than jar, execution bit in Unix file mode, perhaps other aspects)

asfgit pushed a commit to apache/maven-source-plugin that referenced this pull request Sep 8, 2019
@hboutemy hboutemy self-assigned this Sep 8, 2019
@hboutemy hboutemy added this to the 4.2.0 milestone Sep 8, 2019
@michael-o
Copy link
Member

I will have a look at this tonight.

protected Date convertSourceDateEpochToDate( int sourceDateEpoch )
{
// timestamp of zip entries at zip storage level ignores timezone: see https://github.com/Stuk/jszip/issues/369
Calendar cal = Calendar.getInstance();
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This one is to trick the default timezone version, right?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"trick the default timezone": I'm not ok with this way of saying things, but it looks it's your way to say what I wrote in comments

Copy link
Member

@michael-o michael-o Sep 8, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But that's what you do. ZipEntry.setTime() does use the default timezone. You recalculate the date to have it look like UTC for the ZipOutputStream. Therefore your comment is not correct. The ZIP defition has no timezone notion, but many implementations use the default timezone. The provided link describes how to defeat the system.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I still don't see what to do with your comment

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's put the sourceEpochDate aside. All you do is to modify the timestamp to look like UTC in the default timezone, don't you? It has nothing to do with the sourceEpochDate. You fix a shortcoming of the ZIP spec. Simply convert to UTC. That is what you need to document.

Copy link
Member

@michael-o michael-o left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few glitches, but overall a good thing. One though, is missing. The TZ alignment cannot be done w/o using the configure method because the former is protected. A user can actually make the archive reproducible w/o using the configure method. He ought to normalize the timestamp himself in this case.

}
} );

// 3. ignore file/directory mode from filesystem, since they may vary based on local user umask
Copy link
Member

@plamentotev plamentotev Oct 6, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This can be quite inconvenient if the archive contains executable scripts (not uncommon for Java applications). I think that at least it should be explicitly stated in the configureReproducible java docs - "reproducible entries Unix mode" is not specific enough. Also I was thinking if it would make sense to keep the executable flag. Having a umask with the executable flag set to true on Unix system is quite uncommon.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, executable bit is the most wanted one.
Not sure this bit is really managed when running on Windows.
I don't know what precisely to do
I'll merge the current state as it is a good initial step: please help by providing a PR to improve

@hboutemy hboutemy changed the title added configureReproducible( int sourceDateEpoch ) API add configureReproducible( Date lastModifiedDate ) API Oct 12, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants