It's becoming more and more common for Free and Open Source dependencies to become poisoned by attackers.It's (fortunately) not solved by using only Proprietary software, as the SolarWinds breach last year taught us.

However, by using Free and Open Source tooling, we have the ability to independently verify that a built package is byte-for-byte the exact same between the maintainer's machine and your own.

As authors of libraries, we should be striving to provide this functionality for our consumers, by making sure our build and packaging processes apply practices shared by the Reproducible Builds community, and applying the Supply-chain Levels for software Artifacts best practices.

Gradle has supported this since version 3.4, and the documentation describes how to set it up, which I have echoed below, as well as adding a Kotlin example.

build.gradle

If you're using the Groovy buildscript, you'll need the following:

allprojects {
 tasks.withType(AbstractArchiveTask).configureEach {
    preserveFileTimestamps = false
    reproducibleFileOrder = true
  }
}

build.gradle.kts

Or if you're using a Kotlin buildscript, you can use the following:

allprojects {
  tasks.withType<AbstractArchiveTask>() {
    isPreserveFileTimestamps = false
    isReproducibleFileOrder = true
  }
}