Skip to content

jgneff/strictly-maven

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Strictly Maven: Apache Maven™ in a strictly-confined snap

Apache Maven is a build automation tool used primarily for Java projects, with support for projects written in C#, Ruby, Scala, and other languages. This project builds Snap packages of Maven directly from its source repository on GitHub. These packages are strictly confined, running in complete isolation with only limited access to your system. See the Install and Usage sections below for details.

See also

This project is one of four that I created to gain control of my development environment:

  • OpenJDK - Current JDK release and early-access builds

    openjdk

  • OpenJFX - Current JavaFX release and early-access builds

    openjfx

  • Strictly Maven - Apache Maven™ in a strictly-confined snap

    strictly-maven

  • Strictly NetBeans - Apache NetBeans® in a strictly-confined snap

    strictly-netbeans

Install

Install the Strictly Maven Snap package with the command:

$ sudo snap install strictly-maven

The Snap package is strictly confined and adds only the following interfaces to its permissions:

  • the home interface to read and write files under your home directory, and
  • the network interface to download artifacts from remote repositories such as Maven Central.

When you install Strictly Maven, it will automatically install the OpenJDK Snap package and connect to it for its Java Development Kit (JDK). You can also install the OpenJDK Snap package manually with the command:

$ sudo snap install openjdk

After both packages are installed, you'll see the following interface among their list of connections:

$ snap connections strictly-maven
Interface             Plug                        Slot                 Notes
content[jdk-19-1804]  strictly-maven:jdk-19-1804  openjdk:jdk-19-1804  -

You can also connect them manually with the command:

$ sudo snap connect strictly-maven:jdk-19-1804 openjdk:jdk-19-1804

You can use a different JDK by disconnecting the OpenJDK Snap package and setting the JAVA_HOME environment variable. Because the Strictly Maven Snap package is strictly confined, the JDK must be located in a non-hidden folder of your home directory. For example:

$ sudo snap disconnect strictly-maven:jdk-19-1804
$ export JAVA_HOME=$HOME/opt/jdk-20
$ strictly-maven --version

Trust

The steps in building the packages are open and transparent so that you can gain trust in the process that creates them instead of having to put all of your trust in their publisher.

Each step of the build process is documented below:

  • Build File - the Snapcraft build file that creates the package
  • Source Code - the release tags used to obtain the Maven source code
  • Snap Package - information about the package and its latest builds on Launchpad
  • Store Listing - the listing for the package in the Snap Store

The Launchpad build farm runs each build in a transient container created from trusted images to ensure a clean and isolated build environment. Snap packages built on Launchpad include a manifest that lets you verify the build and identify its dependencies.

Verify

Each Strictly Maven package provides a software bill of materials (SBOM) and a link to its build log. This information is contained in a file called manifest.yaml in the directory /snap/strictly-maven/current/snap. The image-info section of the manifest provides a link to the package's page on Launchpad with its build status, including the complete log file from the container that ran the build. You can use this information to verify that the Strictly Maven Snap package installed on your system was built from source on Launchpad using only the software in Ubuntu 18.04 LTS.

For example, I'll demonstrate how I verify the Strictly Maven Snap package installed on my system at the time of this writing. The snap info command shows that I installed Strictly Maven version 3.8.6 with revision 5:

$ snap info strictly-maven
...
channels:
  latest/stable:    3.8.6 2022-09-15 (5) 8MB -
  latest/candidate: ↑
  latest/beta:      ↑
  latest/edge:      ↑
installed:          3.8.6            (5) 8MB -

The following command prints the build information from the manifest file:

$ grep -A3 image-info /snap/strictly-maven/current/snap/manifest.yaml
image-info:
  build-request-id: lp-73843238
  build-request-timestamp: '2022-09-05T19:13:48Z'
  build_url: https://launchpad.net/~jgneff/+snap/strictly-maven/+build/1871681

The build_url in the manifest is a link to the page on Launchpad with the package's Build status and Store status. The store status shows that Launchpad uploaded revision 5 to the Snap Store, which matches the revision installed on my system. The build status shows a link to the log file with the label buildlog.

The end of the log file contains a line with the SHA512 checksum of the package just built, shown below with the checksum edited to fit on this page:

Snapping...
Snapped strictly-maven_3.8.6_multi.snap
Starting Snapcraft 7.1.3
Logging execution to
  '/root/.cache/snapcraft/log/snapcraft-20220905-191600.223321.log'
984bd6d368c7e795...135842df5d1c0989  strictly-maven_3.8.6_multi.snap
Revoking proxy token...

The command below prints the checksum of the package installed on my system:

$ sudo sha512sum /var/lib/snapd/snaps/strictly-maven_5.snap
984bd6d368c7e795...135842df5d1c0989  /var/lib/snapd/snaps/strictly-maven_5.snap

The two checksum strings are identical. Using this procedure, I verified that the Strictly Maven Snap package installed on my system and the Strictly Maven Snap package built and uploaded to the Snap Store by Launchpad are in fact the exact same package. For more information, see Launchpad Bug #1979844, "Allow verifying that a snap recipe build corresponds to a store revision."

Usage

You can put the following alias in your ~/.bash_aliases file to be able to run the Strictly Maven Snap package using the normal Maven mvn command:

alias mvn='strictly-maven'

Verify that the Strictly Maven Snap package is working and connected to the OpenJDK Snap package with the following commands:

$ type mvn
mvn is aliased to `strictly-maven'
$ mvn --version
Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63)
Maven home: /snap/strictly-maven/x1/maven
Java version: 19, vendor: Snap Build, runtime: /snap/strictly-maven/x1/jdk
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "5.15.0-48-generic", arch: "amd64", family: "unix"

If you instead see the error message below, make sure that the OpenJDK Snap package is installed and connected as described earlier under the Install section:

$ mvn --version
The JAVA_HOME environment variable is not defined correctly,
this environment variable is needed to run this program.

Then switch to a Maven project directory and try running the mvn clean command. If this is the first time, you'll see Maven downloading the plugins required for the clean phase.

The Snap package does not have access to hidden files or folders in your home directory, so it uses the following alternative locations for the Maven user settings file and local repository directory:

Apache Maven Default Strictly Maven Alternative
~/.m2/settings.xml ~/snap/strictly-maven/common/settings.xml
~/.m2/repository ~/snap/strictly-maven/common/repository

The Snap package runs Maven in its strictly-confined environment with a command equivalent to the following:

mvn --strict-checksums --settings ~/snap/strictly-maven/common/settings.xml "$@"

Build

You can build the Snap package on Linux by installing Snapcraft on your development workstation. Run the following commands to install Snapcraft, clone this repository, and start building the package:

$ sudo snap install snapcraft --classic
$ git clone https://github.com/jgneff/strictly-maven.git
$ cd strictly-maven
$ snapcraft

To run the build remotely on Launchpad, enter the command:

$ snapcraft remote-build

See the Snapcraft Overview page for more information about building Snap packages.

License

This project is licensed under the Apache License 2.0, the same license used by the Apache Maven project. See the LICENSE file for details. Apache Maven and the Maven logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.

About

Apache Maven™ in a strictly-confined snap

Topics

Resources

License

Stars

Watchers

Forks

Sponsor this project

 

Languages