SlideShare a Scribd company logo

DevoxxFR 2024 Reproducible Builds with Apache Maven

H
Hervé Boutemy

Les Builds Reproductibles sont préconisés pour le niveau 4 de SLSA, pour atteindre le plus haut niveau de confiance sur un logiciel. Un tel niveau semble totalement inaccessible pour un projet normal. En réalité, la plupart des distributions Linux ont implémenté les Builds Reproductibles ces 10 dernières années. Et depuis 5 ans, cela a été appliqué à de nombreux projets Open Source Java avec succès : plus de 2000 releases vérifiées reproductibles ont été publiées sur Maven Central par 500 projets, et ces chiffres ne cessent de croître. Dans cette session, nous démistyfierons les pratiques pour les Builds Reproductibles telles qu'elles ont été éprouvées et améliorées sur le terrain. Nous expliquerons les outils utiles pour améliorer vos builds Maven et vérifier qu'ils sont réellement reproductibles : vous verrez, ce travail est riche d'enseignements utiles bien au delà de la sécurité. Attention: si vous dormez pendant la session, vous aurez une sale note au quizz final permettant de vérifier les compétences acquises...

Technology
1 of 30
Download to read offline
with Apache Maven Hervé Boutemy DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 About Me: Hervé Boutemy ● Java, since 1.0-beta ● CI, DevOps ● Enterprise Architecture ● DevSecOps ● Solutions Architect ● Software Supply Chain
DEVOXX FRANCE 2024 ● SBOM: CycloneDX SPDX ● Reproducible Builds for the JVM: ○ discovered in Devoxx FR 2016 (post-processing) ○ actively working since January 2019 (Maven built-in) ● Maven PMC Member ● ASF Member About Me: Hervé Boutemy
DEVOXX FRANCE 2024 agenda / AGENDA 1. Reproducible Builds what? why? how? 2. Reproducible Builds with Maven - rebuild and check binaries - configure your Maven build 3. Quiz to be or not to be (Reproducible)
Reproducible Builds 1. Principles / what? why? how?
DEVOXX FRANCE 2024 input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
DEVOXX FRANCE 2024 Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source code of an OSS project, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● When you outsource a new development ○ “of course”, in addition to binaires, they deliver source code + build instructions… ○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
DEVOXX FRANCE 2024 How? ● reproducible-build.org: 3. objective: rebuild and validate that the output matches the original build. 2. requirement: the build environment should either be recorded or pre-defined = build specification. 1. prerequisite: the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
DEVOXX FRANCE 2024 Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024 Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 ./rebuild.sh <path/to/...>/<project>-<version>.buildspec
DEVOXX FRANCE 2024
DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/
DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/ 3. Why? How to Fix?
Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
DEVOXX FRANCE 2024 Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 2. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html (necessary updates, but perhaps not sufficient…)
DEVOXX FRANCE 2024 Manual Checking for Reproducible Builds 2. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare or during release candidate review, or if release published somewhere else: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
Quizz warmup / to be or not to be (Reproducible) ?
DEVOXX FRANCE 2024 #1 Reproducible or not? ? ?
DEVOXX FRANCE 2024 #2 Reproducible or not? ?
DEVOXX FRANCE 2024 #2 Reproducible or not? ?
DEVOXX FRANCE 2024 ?
DEVOXX FRANCE 2024 #2 Reproducible or not?
DEVOXX FRANCE 2024 #3 Reproducible or not? ?
DEVOXX FRANCE 2024 #3 Reproducible or not?
Conclusion summary
DEVOXX FRANCE 2024 1. Enable Reproducible Builds: artifact:check-buildplan 2. Audit your Binaries: artifact:compare 3. Look at issues: diffoscope 4. Fix what brings additional value 3. Audit and report at scale: copy reproducible-central and adapt to your local repository ./rebuild.sh <path/to/...>/<project>-<version>.buildspec With Maven: Just do It!
DEVOXX FRANCE 2024 THANKS FOR WATCHING Diversity in Community is Great not in Binary Code

Recommended

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxCoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxHervé Boutemy
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkarunkumar sadhasivam
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandCI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandTroublemaker Khunpech
 
BMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenBMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenMert Çalışkan
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of MavenJustin J. Moses
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...ansonjonel
 

Recommended

CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxCoC NA 2023 - Reproducible Builds for the JVM and beyond.pptx
CoC NA 2023 - Reproducible Builds for the JVM and beyond.pptxHervé Boutemy
 
Native Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkNative Hadoop with prebuilt spark
Native Hadoop with prebuilt sparkarunkumar sadhasivam
 
Maven nutshell
Maven nutshellMaven nutshell
Maven nutshellValerio Capozio
 
CI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandCI/CD with Jenkins and Docker - DevOps Meetup Day Thailand
CI/CD with Jenkins and Docker - DevOps Meetup Day ThailandTroublemaker Khunpech
 
BMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenBMO - Intelligent Projects with Maven
BMO - Intelligent Projects with MavenMert Çalışkan
 
Wonderful World of Maven
Wonderful World of MavenWonderful World of Maven
Wonderful World of MavenJustin J. Moses
 
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017
Continuous Delivery w projekcie Open Source - Marcin Stachniuk - DevCrowd 2017MarcinStachniuk
 
Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...Dockerfiles building docker images automatically v (workdir, env, add, and ...
Dockerfiles building docker images automatically v (workdir, env, add, and ...ansonjonel
 
DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introductionJoel W. King
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & ToolsLuismi Amorós Martínez
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxmoirarandell
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...Nuxeo
 
Maven
MavenMaven
MavenShraddha
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management toolRenato Primavera
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Session 2
Session 2Session 2
Session 2gayathiry
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overviewLuciano Resende
 
Build server
Build serverBuild server
Build serverChristophe Vanlancker
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzSteve Hoffman
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdfAbid Malik
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps ExtensionsChristian Waha
 
Vagrant
VagrantVagrant
VagrantBenoit Borrel
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 

More Related Content

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven

DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introductionJoel W. King
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformCarlos Ramirez Martinez-Eiroa
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulMert Çalışkan
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxmoirarandell
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...Nuxeo
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management toolRenato Primavera
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldDmitry Bakaleinik
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overviewLuciano Resende
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Amrita Prasad
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzSteve Hoffman
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdfAbid Malik
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps ExtensionsChristian Waha
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?AFUP_Limoges
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topicKalkey
 

Similar to DevoxxFR 2024 Reproducible Builds with Apache Maven (20)

DevNet Associate : Python introduction
DevNet Associate : Python introductionDevNet Associate : Python introduction
DevNet Associate : Python introduction
 
Team Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce PlatformTeam Development & Continuous Integration on the Salesforce Platform
Team Development & Continuous Integration on the Salesforce Platform
 
Intelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest IstanbulIntelligent Projects with Maven - DevFest Istanbul
Intelligent Projects with Maven - DevFest Istanbul
 
Agile Software Development & Tools
Agile Software Development & ToolsAgile Software Development & Tools
Agile Software Development & Tools
 
BLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docxBLCN532 Lab 1Set up your development environmentV2.0.docx
BLCN532 Lab 1Set up your development environmentV2.0.docx
 
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
[Webinar] Automating Developer Workspace Construction for the Nuxeo Platform ...
 
Maven
MavenMaven
Maven
 
Apache maven, a software project management tool
Apache maven, a software project management toolApache maven, a software project management tool
Apache maven, a software project management tool
 
Session 2
Session 2Session 2
Session 2
 
Session 2
Session 2Session 2
Session 2
 
Introduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS worldIntroduction to maven, its configuration, lifecycle and relationship to JS world
Introduction to maven, its configuration, lifecycle and relationship to JS world
 
Open Source tools overview
Open Source tools overviewOpen Source tools overview
Open Source tools overview
 
Build server
Build serverBuild server
Build server
 
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
Puzzle ITC Talk @Docker CH meetup CI CD_with_Openshift_0.2
 
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @OrbitzEnabling Hybrid Workflows with Docker/Mesos @Orbitz
Enabling Hybrid Workflows with Docker/Mesos @Orbitz
 
Magento Docker Setup.pdf
Magento Docker Setup.pdfMagento Docker Setup.pdf
Magento Docker Setup.pdf
 
Azure DevOps Extensions
Azure DevOps ExtensionsAzure DevOps Extensions
Azure DevOps Extensions
 
Vagrant
VagrantVagrant
Vagrant
 
Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?Comment améliorer le quotidien des Développeurs PHP ?
Comment améliorer le quotidien des Développeurs PHP ?
 
Jenkins advance topic
Jenkins advance topicJenkins advance topic
Jenkins advance topic
 

Recently uploaded

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 

Recently uploaded (20)

How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 

DevoxxFR 2024 Reproducible Builds with Apache Maven

  • 1. with Apache Maven Hervé Boutemy DEVOXX FRANCE 2024
  • 2. DEVOXX FRANCE 2024 About Me: Hervé Boutemy ● Java, since 1.0-beta ● CI, DevOps ● Enterprise Architecture ● DevSecOps ● Solutions Architect ● Software Supply Chain
  • 3. DEVOXX FRANCE 2024 ● SBOM: CycloneDX SPDX ● Reproducible Builds for the JVM: ○ discovered in Devoxx FR 2016 (post-processing) ○ actively working since January 2019 (Maven built-in) ● Maven PMC Member ● ASF Member About Me: Hervé Boutemy
  • 4. DEVOXX FRANCE 2024 agenda / AGENDA 1. Reproducible Builds what? why? how? 2. Reproducible Builds with Maven - rebuild and check binaries - configure your Maven build 3. Quiz to be or not to be (Reproducible)
  • 6. DEVOXX FRANCE 2024 input source code builder output binaries rebuilder same output binaries (bit for bit) a set of software development practices that create an independently-verifiable path from source to binary code https://reproducible-builds.org/ (since 2013) reference reference
  • 7. DEVOXX FRANCE 2024 Why does it matter? ● reproducible-builds.org: “allow verification that no vulnerabilities or backdoors have been introduced during the compilation process” ● my own return on experience ○ you have the source code of an OSS project, but are you really able to rebuild? ■ is it the real Git commit? is “Build successful” message sufficient? ○ are you sure nothing from your build environment leaked into output binaries? ■ found username, hostname, path to current directory, private key passphrase, … ○ permits build efficiency from build cache ● When you outsource a new development ○ “of course”, in addition to binaires, they deliver source code + build instructions… ○ how do you audit? Just think you’re getting the expected binaries if you follow instructions?
  • 8. DEVOXX FRANCE 2024 How? ● reproducible-build.org: 3. objective: rebuild and validate that the output matches the original build. 2. requirement: the build environment should either be recorded or pre-defined = build specification. 1. prerequisite: the build system needs to be made entirely deterministic. For example, the current date and time must not be recorded and output always has to be written in the same order.
  • 9. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 10. DEVOXX FRANCE 2024 Reproducible Central (started 03-2020) https://github.com/jvm-repo-rebuild/reproducible-central
  • 11. DEVOXX FRANCE 2024 Reproducible Central https://github.com/jvm-repo-rebuild/reproducible-central
  • 13. DEVOXX FRANCE 2024 ./rebuild.sh <path/to/...>/<project>-<version>.buildspec
  • 15. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/
  • 16. DEVOXX FRANCE 2024 What If a Difference is Found? 1. Where is the difference? 2. 2. What is the difference? https://diffoscope.org/ 3. Why? How to Fix?
  • 17. Reproducible Builds for Maven 2. Practice / 2. rebuild and check binaries / 1. configure Maven build
  • 18. DEVOXX FRANCE 2024 Reproducible Builds for Maven (since 03-2020) https://maven.apache.org/guides/mini/guide-reproducible-builds.html 1. Enable Reproducible Builds: 2. Check plugins known to require upgrade: mvn artifact:check-buildplan = https://maven.apache.org/plugins/maven-artifact-plugin/plugin-issues.html (necessary updates, but perhaps not sufficient…)
  • 19. DEVOXX FRANCE 2024 Manual Checking for Reproducible Builds 2. after release pushed to Maven Central: mvn -Papache-release -Dgpg.skip clean verify artifact:compare or during release candidate review, or if release published somewhere else: mvn -Papache-release -Dgpg.skip clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ 1. during SNAPSHOT development: Check locally if you get the same result twice mvn clean install mvn clean verify artifact:compare ideally (harder): rebuilder on a different machine, or Docker, to detect more subtle environment impact
  • 20. Quizz warmup / to be or not to be (Reproducible) ?
  • 21. DEVOXX FRANCE 2024 #1 Reproducible or not? ? ?
  • 22. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 23. DEVOXX FRANCE 2024 #2 Reproducible or not? ?
  • 25. DEVOXX FRANCE 2024 #2 Reproducible or not?
  • 26. DEVOXX FRANCE 2024 #3 Reproducible or not? ?
  • 27. DEVOXX FRANCE 2024 #3 Reproducible or not?
  • 29. DEVOXX FRANCE 2024 1. Enable Reproducible Builds: artifact:check-buildplan 2. Audit your Binaries: artifact:compare 3. Look at issues: diffoscope 4. Fix what brings additional value 3. Audit and report at scale: copy reproducible-central and adapt to your local repository ./rebuild.sh <path/to/...>/<project>-<version>.buildspec With Maven: Just do It!
  • 30. DEVOXX FRANCE 2024 THANKS FOR WATCHING Diversity in Community is Great not in Binary Code