8243666: ModuleHashes attribute generated for JMOD and JAR files

Alan Bateman Alan.Bateman at oracle.com
Mon Apr 27 19:34:50 UTC 2020


This is build reproducibility issue with the module-info.class files in 
the packaged modules (JMOD files in the case of the JDK build).

One part to this is the ModulePackages class file attribute that is 
added by the tools, including the jmod tool and the AddPackagesAttribute 
tool in the JDK build. The package names are added in iteration order so 
can vary from run to run. This is trivially fixed to sort the package 
names.!

The other part is the ModuleHashes attribute where a hash is computed 
from all contents of a package module. In the case of JMOD files this 
means the hash covers the timestamps on the entries in the JMOD so it 
varies from build to build too. The proposal is to compute the hash over 
the names and content of the entries. The timestamps and other 
non-interesting meta data is not included in the hash. Hashes are to 
avoid accidental mixing of tightly coupled modules from different builds 
so I think this should be strong enough.

The webrev with the proposed changes is here:
    http://cr.openjdk.java.net/~alanb/8243666/webrev/

There are follow-on issues that will need to be fixed in jlink and the 
image writer before the modules container is reproducible. That is 
something for another set of patches.

-Alan


More information about the jigsaw-dev mailing list