Skip to content

Commit 3e2b399

Browse files
committed
Replace vendored jars with verified Maven Central dependencies
374 of 419 vendored jars are replaced by version-catalog coordinates (gradle/libs.versions.toml). Every adopted coordinate was SHA-1-matched byte-identical to the vendored jar it replaces; resolution is non-transitive so the runtime artifact set stays exactly the audited set, and gradle/verification-metadata.xml enforces sha256 on every resolution. gradle/vendored-layout.json maps each artifact to its historical place in the distribution; per-project placement checks (aggregated by verifyVendoredParity, required by every build and by setup assembly) fail if a resolved artifact lacks a placement. The 45 jars without a byte-identical published artifact stay vendored, each with an evidence-based reason in tools/build-parity/jar-provenance.json. Distribution output is verified entry-content identical to an Ant build of this branch's parent commit: 490 of 490 archives, zero differences beyond tool metadata. Tooling and methodology in tools/build-parity/. Refs #52, #146 Signed-off-by: Finnegan's Owner <44065187+pacmano1@users.noreply.github.com>
1 parent d32adbb commit 3e2b399

384 files changed

Lines changed: 10212 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

BUILD-MIGRATION.md

Lines changed: 515 additions & 0 deletions

CONTRIBUTING.md

Lines changed: 18 additions & 0 deletions

build.gradle

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -363,6 +363,40 @@ tasks.register('clean') {
363363
dependsOn ':donkey:clean', ':server:clean', ':client:clean', ':command:clean', ':generator:clean'
364364
}
365365

366+
// Writes one SHA line per file of the staged distribution to
367+
// build/distribution-snapshot.txt. The protocol for changing build
368+
// logic: snapshot, make the change, build, snapshot again, diff. Only
369+
// the changes you intended should appear (see CONTRIBUTING.md).
370+
tasks.register('snapshotDistribution') {
371+
group = 'verification'
372+
description = 'Writes a SHA-256 line per file of server/setup for before/after comparison of build changes.'
373+
outputs.upToDateWhen { false }
374+
doLast {
375+
def setupDir = file('server/setup')
376+
if (!setupDir.directory) {
377+
throw new GradleException('server/setup does not exist; run ./gradlew build first')
378+
}
379+
def out = new StringBuilder()
380+
def md = java.security.MessageDigest.getInstance('SHA-256')
381+
setupDir.eachFileRecurse(groovy.io.FileType.FILES) { f ->
382+
md.reset()
383+
f.withInputStream { ins ->
384+
byte[] buf = new byte[1 << 20]
385+
int n
386+
while ((n = ins.read(buf)) > 0) {
387+
md.update(buf, 0, n)
388+
}
389+
}
390+
def rel = setupDir.toPath().relativize(f.toPath())
391+
out.append(md.digest().encodeHex()).append(' ').append(rel).append('\n')
392+
}
393+
def target = file('build/distribution-snapshot.txt')
394+
target.parentFile.mkdirs()
395+
target.text = out.readLines().sort().join('\n') + '\n'
396+
logger.lifecycle "snapshot written: ${target} (${target.readLines().size()} files)"
397+
}
398+
}
399+
366400
// Aggregate: the per-project checks resolve each configuration in its
367401
// OWNING project's context (Gradle-9-safe; no cross-project resolution).
368402
tasks.register('verifyVendoredParity') {
-1.07 MB
Binary file not shown.
-7.94 MB
Binary file not shown.
-689 KB
Binary file not shown.
-241 KB
Binary file not shown.
-393 KB
Binary file not shown.
-734 KB
Binary file not shown.
-1.07 MB
Binary file not shown.

0 commit comments

Comments
 (0)