8243666: ModuleHashes attribute generated for JMOD and JAR files
Mandy Chung
mandy.chung at oracle.com
Tue Apr 28 22:10:57 UTC 2020
Hi Alan,
On 4/27/20 12:34 PM, Alan Bateman wrote:
>
> This is build reproducibility issue with the module-info.class files
> in the packaged modules (JMOD files in the case of the JDK build).
>
> One part to this is the ModulePackages class file attribute that is
> added by the tools, including the jmod tool and the
> AddPackagesAttribute tool in the JDK build. The package names are
> added in iteration order so can vary from run to run. This is
> trivially fixed to sort the package names.!
>
This looks okay.
> The other part is the ModuleHashes attribute where a hash is computed
> from all contents of a package module. In the case of JMOD files this
> means the hash covers the timestamps on the entries in the JMOD so it
> varies from build to build too. The proposal is to compute the hash
> over the names and content of the entries. The timestamps and other
> non-interesting meta data is not included in the hash. Hashes are to
> avoid accidental mixing of tightly coupled modules from different
> builds so I think this should be strong enough.
>
Computing the hash from the names and contents of all entries sounds a
good solution.
> The webrev with the proposed changes is here:
> http://cr.openjdk.java.net/~alanb/8243666/webrev/
>
This looks good to me.
Mandy
More information about the jigsaw-dev
mailing list