This is a multi-part MIME message sent by reportbug.


Package: libmaven-bundle-plugin-java
Severity: wishlist
Tags: patch
User: reproducible-builds@lists.alioth.debian.org
Usertags: toolchain

Dear Maintainer,

The maven-bundle-plugin utility creates Java .jar archives that contain non-deterministic contents in the Export-Package, Private-Package and Include-Resource header fields of the MANIFEST.MF file when listing those files from the underlying filesystem returns them in differing order.

There is an exisiting report[1] of this problem upstream in the Apache Felix project, and it has been resolved by a subsequent change[2] to sort the contents of the relevant field values before they're written to the manifest.

Please find attached a backport of the upstream changeset, which applies cleanly to the maven-bundle-plugin-3.5.1 sources.

Thank you,
James

[1] - https://issues.apache.org/jira/browse/FELIX-6602

[2] - https://github.com/apache/felix-dev/pull/208

From d885d99a6a16660f655a4fd18e8a1a39beef0a15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Boutemy?= <hboutemy@apache.org>
Date: Sat, 25 Mar 2023 00:18:11 +0100
Subject: [PATCH] FELIX-6602 sort resources and exported packages

---
.../java/org/apache/felix/bundleplugin/BundlePlugin.java | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

--- a/src/main/java/org/apache/felix/bundleplugin/BundlePlugin.java
+++ b/src/main/java/org/apache/felix/bundleplugin/BundlePlugin.java
@@ -1938,6 +1938,7 @@ public class BundlePlugin extends AbstractMojo
scanner.scan();

String[] paths = scanner.getIncludedFiles();
+ Arrays.sort( paths );
for ( int i = 0; i < paths.length; i++ )
{
packages.put( analyzer.getPackageRef( getPackageName( paths[i] ) ) );
@@ -2076,7 +2077,9 @@ public class BundlePlugin extends AbstractMojo
scanner.addDefaultExcludes();
scanner.scan();

- List<String> includedFiles = Arrays.asList( scanner.getIncludedFiles() );
+ String[] f = scanner.getIncludedFiles();
+ Arrays.sort( f );
+ List<String> includedFiles = Arrays.asList(

--TU6XrHo+zHbr8Ckq
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Control: tags 1066045 + pending


Dear maintainer,

I've prepared an NMU for maven-bundle-plugin (versioned as 3.5.1-2.1) and uploaded it to DELAYED/15. Please feel free to tell me if I
should delay it longer.

Regards.


--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

--TU6XrHo+zHbr8Ckq
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment;
filename="maven-bundle-plugin-3.5.1-2.1-nmu.diff" Content-Transfer-Encoding: quoted-printable

diffstat for maven-bundle-plugin-3.5.1 maven-bundle-plugin-3.5.1

changelog | 9 ++
patches/0002-FELIX-6602-sort-resources-and-exported-packages.patch | 33 ++++++++++
patches/series | 1
3 files changed, 43 insertions(+)

diff -Nru maven-bundle-plugin-3.5.1/debian/changelog maven-bundl

Followup-For: Bug #1066045
Control: forwarded -1 https://salsa.debian.org/java-team/maven-bundle-plugin/-/merge_requests/1
Control: tags -1 pending

This change has recently been uploaded to DELAYED/15 by Mattia from the Reproducible Builds team after I requested that; in addition I'm providing the same change as a merge request on Salsa (adding this as the forwarded-to URL for reference, although in this case the change itself is a backport from upstream).

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Mar 27, 2024 at 06:18:51PM +0100, Mattia Rizzolo wrote:

I've prepared an NMU for maven-bundle-plugin (versioned as 3.5.1-2.1) and uploaded it to DELAYED/15. Please feel free to tell me if I
should delay it longer.

Hi Mattia, hi James,

Thank you for the patch and the NMU. Feel free to proceed with a 0-day
upload if you'd prefer.

I will import the changes into the repo and ACK the NMU with the next
upload.

Cheers,
tony

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmYE8QIACgkQIdIFiZdL PpbIOA//TmlVf9vz+OUScTx5Wd32aUPzfUJKWl/MkqIGBNWdmM9G4MUhPt9LAF7/ foy2UTUz3BVK4vdEf5qPdXldThRYZRER42ZUEfWt4xRluw5/lzoQJNlQ5F5gTW3y z/U33ebBBDGlLMgTA8J8K6JO/JHXVgbHDBvKZRupjul4IZUXSjLDc0NWGMP85zJ8 gnM8LAXkXL6uwLcm0pOap5EjBEmjnwaA7ET/2jeW4s+IyD2xxqCo1OFiun61/Yp0 VrIENvkHOJ6stabmLyDqOZ8CQKG5+6G5T2dPFWSWJR5cHecSi92gVzqeEbo8Im1f 5XvTMI5DOUF+wqSub1NlHsmIukc7lqQ89IlFHh2bsa9gkysmsAMnGrOnN6HU4JtJ B++1YCgzl5Inlt5i554UTubB9Ny6zBvMIY5L/4xFi9WeCfcAl8VbDg59wKHZVSVu GVjp/W/5GNH7mMolDKlOlYXLAVyULrqMQQGSc0kHxUi1LzbDy3HCT7Horc9x4gSh raYn5dUnceayfj8Br/0WzL7GoKE0j4lM9blRpS0RnKt+DizSc1nrop+1esfGXCer 2QHdRaR+/LmmEbYktqonF9T0rhAYBVhWorSOlLkoZMN9Wo8hY4i8trwDr3dIIes+ TSVOn7h3DP8I7YphqQXEZ7Y35wm7YbYBmpyv5MW1qBBGaUuQGE8=
=qOd1
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Mar 27, 2024 at 09:24:34PM -0700, tony mancill wrote:

Thank you for the patch and the NMU. Feel free to proceed with a 0-day upload if you'd prefer.

Resending - the prior reply was from me, but didn't have the correct
From: header.

Cheers,
tony

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmYFAy8ACgkQIdIFiZdL PpbCww//dYbfIzmJ+8JADUsF7GJUQMB4TSNElYRV2/O1nX9Y1z+ENk23+Drx3rev H5Kv6oT5Y2KT8H5yqhig7yXhSYpJ8uR0Ad5sMjx2L05KJYMUaugrWYOYaJPGaQNV Czb5rvTsqNZ3gtBYXTkhyDKnTefQND/206w59Wqp8nb7QWINKkC8a2xwmPsUX0TP OIGG0TAsVcROqo1DjrznWWoA5t8hxTdbuoz5k1GBsREu+LTm7SeJe2DtuWnkr/jt DLiiHNP+aBtHLGAPuFT0u5VC3mU59FcRehNN9jjfdSqABuYwKIcoauPsg7OwNr8n Owj90EgForKjuL8NMoKDWATBnd6fpkyR0ShStczdcolQ7//a/gl4mvxRDslmPZQ7 yh7UygywOlC+8+F2N7mPCZY9KfvnpCfJDjiXaTfmy0qA5gJUzyFI9rjfz0S3BYbk +y2GGjgsxll+ZIyhmG2XfXtjoedoRLHF/51vfk6VNhnf4ximDVdQjSbMGWjU106R LQ0e8ILNeX1TFx9fOKZBdpuopUCpol0TRWmtpYNcaDBlvHVpQPf//cLO5s7dwz2o nMv4oU9OAfj3XRYEgu9BIOEgbJeWZRR+Binwik0s0y7XtOyZo7mj6UfFeC1bN2f2 xNGo0+wTF4q4uYeOcHjiw+zXIbvpkBMn2xhewN5WrAVdGecTaNo=
=blT3
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Mar 27, 2024 at 10:42:07PM -0700, tony mancill wrote:

On Wed, Mar 27, 2024 at 09:24:34PM -0700, tony mancill wrote:

Thank you for the patch and the NMU. Feel free to proceed with a 0-day upload if you'd prefer.

Amazing, thank you!

I've rescheduled it to 0-day.

--
regards,
Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
More about me: https://mapreri.org : :' : Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEi3hoeGwz5cZMTQpICBa54Yx2K60FAmYFKdoACgkQCBa54Yx2 K62JPw//WJFtLXWYwN/XKCoWvsbCdxyo2ZI5GjnzZMSZVsUmgrG93M4TqU96ki2k vErmNBvKwHtBKRW9K492LHa5/65dP1YVb9YKG60Dg2O5IhZqXf6tTeGnpEq0wkY+ oa4fe+GHNSvQDMTQn6bOMXUyTZYYkvcs0lpZ+fFWUjjQJMHyaoh4ReelZ5HFbXEm RM4S6Og/Ds/FJTUJHhfjzNUNjU4nOzugp+bG6tc8BqSeFBKBCSUozw/JMqdHtpEi Dwz2c2yUYi2uoXjbhe9G8F5WxWnazVPzOdzlBb+xZ0YRhbTWGdKxaByGe4Row0Ft d0KjUxEg2vYdwzYvLlqtut3eRH5AJZgOH7lZeKJQwT91FGdWXpB4Z6UUeJuU2Lc3 qsH1yXNc2/qnz2VRfYv0uDYV9Y5hWXmOATe83EkN9M3Ip1m+1xQHTevnkIGXtd67 5hSCuprHu9JkPW/DITKLdleciBVu12dNap5qX8noPk1/XMYwoftX9IJ4BJ/UYjLv PV6aobo2X4QdkXnJ03oR7ENt7yAj8EAR4V1XyhXw8aQumg3C2AA