Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Maven plugin uses timezone-local timestamps when outputTimestamp is used #34424

Closed
nielsbasjes opened this issue Mar 1, 2023 · 1 comment
Closed

Maven plugin uses timezone-local timestamps when outputTimestamp is used #34424

nielsbasjes opened this issue Mar 1, 2023 · 1 comment
Labels
type: bug A general bug
Milestone
2.7.10

Comments

@nielsbasjes
Copy link
Contributor

nielsbasjes commented Mar 1, 2023
edited
Loading

Summary

The spring-boot-maven-plugin repackage goal does not set a reproducible timestamp.
The provided timestamp is used but offset with the local timezone of the developer.

A project wants to be reproducible and sets the project.build.outputTimestamp to a desired value with a clear timezone in it.

Then the spring-boot-maven-plugin is used to repackage the jar/war file.
The outputTimestamp by default uses the correct timestamp from project.build.outputTimestamp.

The problem is that the timestamp in final jar/war file has this timestamp expressed in the timezone of the local build system.
So someone in a different timezone can only reproduce the build if they are able to figure out the timezone of the original build system.

This makes the build needlessly hard to reproduce.

Reproduce

This mini project demonstrates this problem by building the same demo project twice in a docker image with a different timezone.

https://github.com/nielsbasjes/BugreportSpringPluginTimezone

Expected

I expect the output to be in the specified timezone in the outputTimestamp
This will make the end result always be the same regardless of the timezone of the build system.

Actual output:

For different timezones the output file is different

$ md5sum *jar
51101377d3c14d4def5607adc7694eef  amsterdam.jar
bfc83311fec00946edde56b0313e642f  eucla.jar
1208e63002398ff0606ab62a0b7f06a1  hawaii.jar

Snippets from diffoscope:

The content (all jar files and such) are identical

│┄ Archive contents identical but files differ, possibly due to different compression levels. Falling back to binary comparison.

In timezone Europe/Amsterdam

│ +drwxr-xr-x  2.0 unx        0 bX defN 11-Nov-11 23:22 META-INF/
│ +-rw-r--r--  2.0 unx      379 bl defN 11-Nov-11 23:22 META-INF/MANIFEST.MF
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 23:22 org/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 23:22 org/springframework/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 23:22 org/springframework/boot/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 23:22 org/springframework/boot/loader/
│ +-rw-r--r--  2.0 unx     5667 bl defN 11-Nov-11 23:22 org/springframework/boot/loader/ClassPathIndexFile.class
│ +-rw-r--r--  2.0 unx     7806 bl defN 11-Nov-11 23:22 org/springframework/boot/loader/ExecutableArchiveLauncher.class
│ +-rw-r--r--  2.0 unx     2540 bl defN 11-Nov-11 23:22 org/springframework/boot/loader/JarLauncher.class

In timezone Australia/Eucla

│ -drwxr-xr-x  2.0 unx        0 bX defN 11-Nov-12 07:07 META-INF/
│ --rw-r--r--  2.0 unx      379 bl defN 11-Nov-12 07:07 META-INF/MANIFEST.MF
│ -drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-12 07:07 org/
│ -drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-12 07:07 org/springframework/
│ -drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-12 07:07 org/springframework/boot/
│ -drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-12 07:07 org/springframework/boot/loader/
│ --rw-r--r--  2.0 unx     5667 bl defN 11-Nov-12 07:07 org/springframework/boot/loader/ClassPathIndexFile.class
│ --rw-r--r--  2.0 unx     7806 bl defN 11-Nov-12 07:07 org/springframework/boot/loader/ExecutableArchiveLauncher.class
│ --rw-r--r--  2.0 unx     2540 bl defN 11-Nov-12 07:07 org/springframework/boot/loader/JarLauncher.class

In timezone AU/Hawaii

│ +drwxr-xr-x  2.0 unx        0 bX defN 11-Nov-11 12:22 META-INF/
│ +-rw-r--r--  2.0 unx      379 bl defN 11-Nov-11 12:22 META-INF/MANIFEST.MF
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 12:22 org/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 12:22 org/springframework/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 12:22 org/springframework/boot/
│ +drwxr-xr-x  2.0 unx        0 bl defN 11-Nov-11 12:22 org/springframework/boot/loader/
│ +-rw-r--r--  2.0 unx     5667 bl defN 11-Nov-11 12:22 org/springframework/boot/loader/ClassPathIndexFile.class
│ +-rw-r--r--  2.0 unx     7806 bl defN 11-Nov-11 12:22 org/springframework/boot/loader/ExecutableArchiveLauncher.class
│ +-rw-r--r--  2.0 unx     2540 bl defN 11-Nov-11 12:22 org/springframework/boot/loader/JarLauncher.class
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Mar 1, 2023
@scottfrederick scottfrederick changed the title [spring-boot-maven-plugin] outputTimestamp shifted using local timezone. Maven plugin uses timezone-local timestamps when outputTimestamp is used Mar 1, 2023
@nielsbasjes nielsbasjes mentioned this issue Mar 1, 2023
Closed
@nielsbasjes
Copy link
Contributor Author

I did some digging and it seems the JarWriter gets to write a JarArchiveEntry which has the correct last modification timestamp (in epoch milliseconds).

Then during the actual writing in org.apache.commons.compress.archivers.zip.ZipArchiveOutputStream a call is done to ZipUtil.toDosTime with a instance of Calendar which is initialized with Calendar.getInstance();.
This effectively means to fix this we have to change the default timezone of the application.

Based on that I put together the simplest fix I could think of in the mentioned merge request.

@scottfrederick scottfrederick added type: bug A general bug and removed status: waiting-for-triage An issue we've not yet triaged labels Mar 1, 2023
@scottfrederick scottfrederick added this to the 2.7.x milestone Mar 1, 2023
@philwebb philwebb modified the milestones: 2.7.x, 2.7.10 Mar 2, 2023
@philwebb philwebb mentioned this issue Mar 2, 2023
Closed
@Netyyyy Netyyyy mentioned this issue Apr 7, 2023
Closed
vy added a commit to apache/logging-log4j-samples that referenced this issue Sep 14, 2023
@vy
Disable spring-boot:repackage in CI
b69a217 
It doesn't produce reproducible artifacts. This issue was
reported earlier and (claimed to be) fixed in 2.7.10:
spring-projects/spring-boot#34424
Yet the fix doesn't help in our case.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug A general bug
Projects
None yet
Milestone
2.7.10
Development

No branches or pull requests
4 participants
@scottfrederick @nielsbasjes @philwebb @spring-projects-issues