Affected version
3.6.2
Bug description
The position of an META-INF/services/ directory entry in a shaded JAR depends on which iteration order project.getArtifacts() returned the first dependency with a services file inside.
The Shade plugin writes a META-INF/services/ directory entry at the current output position as soon as it encounters the first file META-INF/services/. It then delegates writing the services file itself to ServicesResourceTransformer (which writes the file at the end). Since the order in which project.getArtifacts() returns artifacts is unpredictable, the directory entry position is also non-deterministic dependency, potentially causing an non-reproducible build.
seen when rebuilding https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/it/mulders/mcs/README.md (and quite a few others like OpenFastrace https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/itsallcode/openfasttrace/openfasttrace-4.1.0.diffoscope#L13 / https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/itsallcode/openfasttrace/README.md)
Affected version
3.6.2
Bug description
The position of an
META-INF/services/directory entry in a shaded JAR depends on which iteration orderproject.getArtifacts()returned the first dependency with a services file inside.The Shade plugin writes a
META-INF/services/directory entry at the current output position as soon as it encounters the first fileMETA-INF/services/. It then delegates writing the services file itself toServicesResourceTransformer(which writes the file at the end). Since the order in whichproject.getArtifacts()returns artifacts is unpredictable, the directory entry position is also non-deterministic dependency, potentially causing an non-reproducible build.seen when rebuilding https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/it/mulders/mcs/README.md (and quite a few others like OpenFastrace https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/itsallcode/openfasttrace/openfasttrace-4.1.0.diffoscope#L13 / https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/itsallcode/openfasttrace/README.md)