RFR: 8264449: Enable reproducible builds with SOURCE_DATE_EPOCH [v7]

Tue Jun 21 07:07:10 UTC 2022

On Mon, 20 Jun 2022 21:56:47 GMT, John Neffenger <jgneff at openjdk.org> wrote:

> That's why Red Hat has Flatpak and Ubuntu has Snaps (and they each grudingly support the other's solution). Their approach is to let the JavaFX application include its minimal Java runtime (using `jlink`) along with the complete set of its dependencies. That packaging allows it to run as a self-contained application on any Linux system. I'm not aware of projects trying to solve this at the SDK level.

That is a different issue --I'm not talking about OS-dependencies in external libraries.
We have to do it (and are doing it) at the SDK level, since the media libs we create (hence not the ones we depend on) can not be created on a stock Ubuntu 18, for instance, and subsequently being used on old RedHat systems -- not because of symbols in dependent libraries, but because of version requirements in the symbols provided by libc. 
Actually, Ubuntu 18 doesn't even come with a gcc-11 based compiler, which is required for #761 . 
Most recent versions of linux distributions do contain gcc-11 based compilers and matching sysroots, but those will introduce symbols in our own libs that are version-incompatible with runtimes provided by old linux distributions. That is the main reason we started the work on the devkit, which compiles a gcc-11 compiler that compiles code that can run on this wide range of distributions.
Hence, if we want fully reproducible builds (which I want as well), we need a reproducible way to build the compiler and sysroot. The script to build the devkit is at https://urldefense.com/v3/__https://github.com/openjdk/jdk/tree/master/make/devkit__;!!ACWV5N9M2RV99hQ!Ju_gdUdp947n6T1MJ-5EGJpGE5_l0-H1cT7QA3-hXPtOY8b5hYr_mHO830NgFWVY63-zwNfhClWZrl9dtjIe$  but we need additional changes for OpenJFX, as that is even more complex due to more dependencies and also because we do build the media stubs, which are built from sources that have changed location/name between different versions. 
The buildscript for the devkit we build is being developed in https://urldefense.com/v3/__https://github.com/gluonhq/devtoolskit__;!!ACWV5N9M2RV99hQ!Ju_gdUdp947n6T1MJ-5EGJpGE5_l0-H1cT7QA3-hXPtOY8b5hYr_mHO830NgFWVY63-zwNfhClWZrrpP0kUM$  and as you can see from the latest commit, we're not there yet since we link a few header files from the host OS into the devkit.

Don't get me wrong, I totally applaud your work, and I agree reproducible builds are very valuable. My point is that there is more work to be done before we can really create reproducible builds that can be verified. Different compilers will yield different images of eg. libjfxmedia.so and there is no stock-compiler that can do the job.

-------------

PR: https://git.openjdk.org/jfx/pull/446