Re-running sentry plugin breaks binary-reproducible builds

[elektro-wolle]

Maven Version

3.9.9

Version

0.10.0

Sentry SDK Version

8.29.0

Steps to Reproduce

Running a mvn clean install with active sentry plugin and reproducible-build-maven-plugin twice gives you different JARs. Extracting those in two different directories shows the difference in sentry-debug-meta.properties:

Expected Result

The generated sentry-debug-meta.properties-file should not have the current date in it (either remove it completely or use the ${maven.build.timestamp}).
The bundle-id is currently a random UUID. It should be better, if this would also be stable (e.g., by using 128 bits of the SHA256 of the source bundle to be uploaded).

Sourcecode, that causes this: file comment with timestamp and for the bundleId

Maybe, the collect source task could create the hash and create a bundleId for createDebugMetaPropertiesFile.

Actual Result

$ diff -w -u -r b1 b2
diff --color -w -u -r b1/sentry-debug-meta.properties b2/sentry-debug-meta.properties
--- b1/sentry-debug-meta.properties	2000-01-01 00:00:00
+++ b2/sentry-debug-meta.properties	2000-01-01 00:00:00
@@ -1,4 +1,4 @@
 #Generated by sentry-maven-plugin
-#Fri Dec 19 13:14:31 CET 2025
+#Fri Dec 19 13:17:20 CET 2025
 io.sentry.build-tool=maven
-io.sentry.bundle-ids=ea459ca9-55b9-4c2b-8e1a-b950aa6b6f9c
+io.sentry.bundle-ids=244a93da-f739-41ae-b427-e4627069e641

[linear]

MAVEN-8

[adinauer]

Thanks for opening this issue. Your suggestions sound reasonable but I'd like to talk them through with the team first so it'll probably be a while (due to holidays) until then.

[elektro-wolle]

No Problem, I fixed it by excluding sentry-debug-meta.properties from the maven-jar-plugin.

Happy holidays!