Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8347349

ModuleHashes attribute generated for JMOD and JAR files depends on timestamps

XMLWordPrintable

    • Icon: CSR CSR
    • Resolution: Unresolved
    • Icon: P3 P3
    • 15
    • core-libs
    • None
    • behavioral
    • low
    • Hide
      If a project has created modular JAR or JMOD files with modules that are tightly coupled, e.g. using qualified exports, and they use the --hash-module option to compute/record hashes then any hashes recorded with JDK 14 or older will be rejected by JDK 15 and newer.

      I have not identified any projects that use this feature so documenting the compatibility risk as low. JDK 15 was released more than 4 years ago and there haven't been any reports of issues. If it arises then the JDK could check the hashes with the older (JDK 9-14) scheme to avoid the compatibility issue.
      Show
      If a project has created modular JAR or JMOD files with modules that are tightly coupled, e.g. using qualified exports, and they use the --hash-module option to compute/record hashes then any hashes recorded with JDK 14 or older will be rejected by JDK 15 and newer. I have not identified any projects that use this feature so documenting the compatibility risk as low. JDK 15 was released more than 4 years ago and there haven't been any reports of issues. If it arises then the JDK could check the hashes with the older (JDK 9-14) scheme to avoid the compatibility issue.
    • JDK

      (This is a retroactive CSR to document a change in JDK 15 with compatibility impact. The compatibility impact has recently come to light while investigating an interop issue between Oracle JDK 11u and builds from the OpenJDK 11u repo. The interop issue arises because this change was back ported to the OpenJDK 11u repo, thus changing how the hashes are computed for standard / JDK modules, and breaking jlink cross-linking. Note that cross linking is restricted to same feature release, the change in JDK 15 does not impact cross linking with standard or JDK modules).

      Summary

      The jar and jmod tools support the command line option --hash-modules to compute and record the hashes of modules that depend upon directly or indirectly on a module in a modular JAR or JMOD file.

      Change the computation of the hash so that it's reproducible, meaning it is independent of the ordering of entries in the JAR or JMOD file and independent of the timestamps on entries.

      Problem

      The hash computed by jar --hash-modules and jmod --hash-modules is hostile to reproducible builds. This is primarily an issue for JDK builds as there has been a lot of interest in having the JDK build be reproducible.

      Solution

      Change the computation of the hash so it is independent of the ordering of entries in the JAR or JMOD file and independent on the timestamps on entries.

      Specification

      There are no specification changes or changes to command line options.

            alanb Alan Bateman
            alanb Alan Bateman
            Christoph Langer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: