Reproducing Eclipse Temurin builds from an SBOM

This is a follow up to last year's video at    • Producing binary identical builds of ...   and demonstrates an initial version of a script that can reproduce a build of Eclipse Temurin using the information we produce as part of the SBOM (Software Bill Of Materials) generation which we have as part of our build process.

This is very much a work in progress and we will have a further video once it is more stable but this shows what is possible. At the moment we have to use the SBOM metadata file instead of the main SBOM because not all the contents is currently in the main SBOM file.

The script can be downloaded from https://github.com/sxa/ci-jenkins-pip... (I'll adjust this URL some fixes in there are merged)

The SBOM metadata files can be obtained from the GitHub release for the version you want. For the example in the video the list of artefacts including the SBOM metadata are in https://github.com/adoptium/temurin17... and the file in there which is the parameter to the script for my platform would be https://github.com/adoptium/temurin17...

So in summary, you should just need to run the following to replicate the example in the video (Adjust accordingly if you're using x64 - note that x64 prior to JDK20 builds on centos 6 instead of centos 7): Also note that because Youtube has made these hyperlinks you'll probably want to click the link, and then copy the URL from there instead of trying to cut and paste these commands freom the description.

docker run centos:7
curl -OL github.com/sxa/ci-jenkins-pipelines/raw/ci_url_fix/tools/reproduce_comparison/compareLinux.sh
sh compareLinux.sh github.com/adoptium/temurin20-binaries/releases/download/jdk-20.0.1+9/OpenJDK20U-sbom_aarch64_linux_hotspot_20.0.1_9-metadata.json

Or for the JDK17 example in the video:

sh ./compareLinux.sh github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.7%2B7/OpenJDK17U-sbom_aarch64_linux_hotspot_17.0.7_7-metadata.json