Tracking issue: non-deterministic java apps

[TomaSajt]

There are several ways to package a Java app inside Nixpkgs, and most of those package the final app into a .jar file. However, .jar files are not reproducible/deterministic by default.

How to check for reproducibility?

Why are .jar files not deterministic?

When creating a .jar file Java will place a META-INF/MANIFEST.MF file inside the archive which will have the current date as its creation date, so it's non-deterministic.

There also might be a problem with the fact that changing a .properties file during the build process will put the current timestamp inside the file as a comment. These can usually be patched out without too much of a hassle.

One could just download the pre-built .jar-s and not worry about this, but I think it's important to build stuff from source.

---

Here are some ways java packages/apps are built inside Nixpkgs:

• using javac+jar by themselves (not too common)
• using ant (usually using bundled jars for dependencies)
• using maven (there's a generic builder: maven.buildMavenPackage)
• using gradle (there's no generic builder for it yet, but some packages have found a way to patch it properly)

Possible solutions to achieve determinism

There was a setup-hook called canonicalize-jars-hook which aimed to solve this problem by unwrapping and rewrapping jars with the creation dates set to a fixed time. However, this process had some flaws

• it didn't preserve compression-state (whether an entry is just stored or is compressed)
• it needed weird workarounds for messed up jar files
• it messed up MANIFEST.MF

A after #296549, canonicalize-jars-hook lives on as stripJavaArchivesHook, using strip-nondeterminism as the backend.

My previous attempts at fixing this:

• canonicalize-jar: fix and refactor #278322
• stripzip-rs: init at 0.0.2, canonicalize-jars-hook: use stripzip-rs, canonicalize-jar: remove #286805

If we don't want to or can't use stripJavaArchivesHook for some reason, we could use the tools provided by the build systems:

Apache Ant

You can set modificationtime for the <jar> (and possibly <war>) tasks, usually in the build.xml files
Like this: <jar modificationtime="0" ...>...</jar>
To automate this you could use a script like this inside postPatch

# Fix jar timestamps for reproducibility
substituteInPlace build.xml \
    --replace-fail '<jar ' '<jar modificationtime="0" '

(Note, that this also matches a space character after the jar word, so that it doesn't accidentally match other tasks starting with jar, though there's not likely to be one anyway)

You could also use a dedicated xml modification tool like xmlstarlet

# Fix jar timestamps for reproducibility
xmlstarlet ed -L -a "//jar" -t attr -n "modificationtime" -v "0" build.xml

I tried to create setup-hook which does this automatically: #294516
However this would only work for ant projects

Maven

You can set the project.build.outputTimestamp property

You can do this by adding -Dproject.build.outputTimestamp=1980-01-01T00:00:02Z to the args given to the mvn command

or by patching the pom.xml file to have this:

<project>
  ...
  <properties>
    ...
    <project.build.outputTimestamp>1980-01-01T00:00:02Z</project.build.outputTimestamp>
  </properties>
  ...
</project>

Gradle

If the project uses Groovy, you can add the following lines to build.gradle

tasks.withType(AbstractArchiveTask) {
    preserveFileTimestamps = false
    reproducibleFileOrder = true
}

or if the project uses Kotlin you can add the following to build.gradle.kts

tasks.withType<AbstractArchiveTask> {
    isPreserveFileTimestamps = false
    isReproducibleFileOrder = true
}

Without a build system

If the packaging script of an app uses the jar command directly, you could use the --date flag to specify a build date. Note, this flag does not exist on versions before jdk17.

Example:

jar --date="1980-01-01T00:00:02Z" --create Program.class > test.jar

---

Though I'd say that using stripJavaArchivesHook is your best bet, because it should work with any build tool

---

Progress with making everything deterministic:

was already deterministic before opening this issue

• jogl (ant)
• prismlauncher (cmake's UseJava (javac+jar backend))
• rstudio (ant)
  • uses ant but doesn't create any jar files
• swt (javac+jar)

Fixed

• abcl (ant) (PR: abcl: make deterministic and clean up #278525)
• arduino-core-unwrapped (ant) (PR: treewide: use stripJavaArchivesHook in trivial cases #297566)
• astral (javac+jar) (PR: astral: make deterministic and clean up #297131)
• axis2 (ant) (PR: axis2: remove legacy builder.sh, make deterministic #294597)
• brmodelo (ant) (PR: brmodelo: make deterministic and clean up #297196)
• calcoo (ant) (PR: calcoo: make deterministic and clean up #278530)
• dataexplorer (ant) (PR: dataexplorer: make deterministic and clean up #297189)
• dayon (ant) (PR: dayon: make deterministic and clean up #278532)
• domination (ant) (PR: domination: make deterministic and clean up #294968)
• DisnixWebService (ant) (PR: DisnixWebService: make deterministic and clean up #294709)
• fop (ant) (PR: fop: clean up, make deterministic #294614)
• freemind (ant) (PR: freemind: adopt, refactor and make deterministic #298977)
• freetts (ant) (PR: freetts: clean up and make deterministic #294631)
• gcs (ant->golang) (PR: gcs: 4.8.0 -> 5.20.4, adopt, refactor #279271)
• gogui (ant) (PR: gogui: make deterministic and clean up #294739)
• hdfview (ant) (PR: hdfview: make deterministic #297160)
• hydra-ant-logger (ant) (PR: hydraAntLogger: make deterministic and clean up #278740)
• ili2c (ant) (PR: ili2c: make deterministic and clean up #278561)
• jameica (ant (PR: jameica: make deterministic and clean up #294619)
• jasmin (ant) (PR: jasmin: make deterministic and clean up #278567)
• javacc (ant) (PR: javacc: make deterministic and clean up #278577)
• javaCup (ant) (PR: javaCup: make deterministic and clean up #278572)
• java-service-wrapper (ant) (PR: java-service-wrapper: make deterministic, do some cleanup #295154)
• jdepend (ant) (PR: jdepend: make deterministic and clean up #278534)
• jedit (ant) (PR: jedit: 5.2.0 -> 5.6.0-unstable-2023-11-19, adopt and rewrite #297255)
• jetbrains.jcef (ant) (PR: jetbrains.jcef: make deterministic #297717)
• jffi (ant) (PR: jffi: clean up and make deterministic #298989)
• jna (ant) (PR: jna: make deterministic and clean up #297193)
• jpsxdec (ant) (PR: jpsxdec: 1.06 -> 2.0, make deterministic, clean up #278739)
• jugglinglab (ant->maven) (PR: jugglinglab: 1.6.3 -> 1.6.5, move to buildMavenPackage #278788)
• ktfmt (maven) (PR: ktfmt: make deterministic #280283)
• libbluray withJava (ant) (PR: libbluray: fix build using withJava, make java build deterministic #295055)
• martyr (ant) (PR: martyr: remove #279424)
• mkgmap (ant) (PR: mkgmap{,-splitter}: make deterministic add missing phase hook calls #294708)
• openrocket (ant) (PR: treewide: use stripJavaArchivesHook in trivial cases #297566)
• pattypan (ant) (PR: pattypan: make deterministic and clean up #278590)
• processing (ant) (PR: treewide: use stripJavaArchivesHook in trivial cases #297566)
• projectlibre (ant) (PR: projectlibre: make deterministic and clean up #294958)
• scenebuilder (maven) (PR: scenebuilder: 20.0.0 -> 21.0.1, make deterministic #287319)
• sleuthkit (ant) (PR: sleuthkit: clean up and make deterministic #295064)
• sweethome3d (ant) (PR: treewide: use stripJavaArchivesHook in trivial cases #297566)
• trimmomatic (ant) (PR: trimmomatic: make deterministic and clean up #278776)
• tvbrowser (ant): (PR: tvbrowser: use stripJavaArchivesHook for determinism #298562)
• xtreemfs (ant) (PR: treewide: use stripJavaArchivesHook in trivial cases #297566)

attempted, seems difficult

• dbeaver (maven)
  • many failed attempts to update
  • uses tycho to fetch dependencies
    • puts timestamps into files and mirror-site names into the directory names
    • probably impossible ATM
• mindustry (gradle)
  • Inconsistent file name order
    • This is partially fixed in Make file name orders deterministic Anuken/Mindustry#9443
  • The texture packer still has some ordering randomness inside the Arc library.
• i2p (ant)
  • not deterministic (unstable <servlet> order inside .xml files in the .war files)

could be done

• gephi (maven)
  • needs default plugin version fix
  • needs fixed outputTimestamp

not attempted

• buck (ant)
• more jetbrains stuff? (ant)
• libreoffice? (ant)
• polymake (ant)
• rabbitmq-java-client (ant)
  • uses python2
• There might be other packages that build jars which I didn't list here

[fgaz]

Maybe this hook should be added to the java packaging docs

yes please!

[de11n]

Excellent work.

[TomaSajt]

I was looking around on nixpkgs and it looks like ant actually does have a way to set the modification-time for the created jars. Here's the only example that's inside nixpkgs:

nixpkgs/pkgs/by-name/jo/jogl/package.nix

Lines 80 to 82 in daafb12

	xmlstarlet ed --inplace \
	--append //jar --type attr -n modificationtime --value 1980-01-01T00:00Z \
	build.xml gluegen-cpptasks-base.xml

It's adding a fixed modificationtime attribute to the jar task.
Docs of the jar ant task: https://ant.apache.org/manual/Tasks/jar.html

After some more looking, it turns out that even the jar program itself has the --date argument.

jar --date="1980-01-01T00:00:02Z" --create Program.class > test.jar

This will create a jar file with all files inside having the set timestamp. Though this is not in the older versions of java. The first version to have this inside nixpkgs is jdk17. Not sure exactly which version added it because it is heavily underdocumented, but I found which commit added it: openjdk/jdk@db68a0c

After some more searching, it looks like gradle also has something like this built in:

tasks.withType(AbstractArchiveTask) {
    preserveFileTimestamps = false
    reproducibleFileOrder = true
}

---

So, in conclusion, it looks like every major way of packaging has a built-in solution for fixed timestamps. I am a bit sad that I did not look into this more thoroughly earlier.
Still, I believe that having a hook, which works in all cases has its own merits, as it will allow us to avoid having to patch every java app.

[TomaSajt]

I decided that using the built-in method is a better solution, so I opened #294516, which moves away from canonicalize-jars-hook

I went with the general solution instead anyways

[de11n]

It might also be helpful to have a tool to detect common pitfalls in making Java packages deterministic. For example, we could find all jar files in the outputs and inspect them for timestamps that suggest non-determinism. We could then cause that build to fail unless some sort of "allowNondetermism = true" flag is set. This could be a setuphook but at some point we may want a buildJavaPackage builder that just applies common-sense things like this and can be easily documented.

[TomaSajt]

A new thing I discovered was the existance of .jmod files and they can also have some non-determinism. They are not just plain .jar files, they are a differnet format.
strip-nondeterminism supports patching these files.
AFAICT they are present inside every jdk since jdk9, but those seem to be mostly deterministic (though I only checked the latest jdk)