Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Provide documentation on best practices when obfuscating a Gradle Kotlin multimodule Spring Boot application #422

Open
matthewadams opened this issue Jul 20, 2024 · 2 comments

Comments

@matthewadams
Copy link

matthewadams commented Jul 20, 2024

NB: This is basically an attempt to resurrect this old issue.

We looked at the example referenced in this issue, which is quite out of date now, plus, it's a single-module Gradle Groovy Spring Boot project. We had to jump through some serious hoops to get ProGuard to work in our Gradle Kotlin multimodule Spring Boot 3.x project. So many, in fact, that we entered an issue to include a Spring Intializr option to add ProGuard configuration in the generated Spring Boot project. Due to the plethora of ProGuard options, they declined.

That prompted me to request that the Spring folks partner with y'all to produce an authoritative example as a blog/article/documentation, but they declined, stating that they had no ProGuard expertise on staff.

Most of the current ProGuard documentation is specific to Android projects, but Spring Boot is an entirely different beast. As such, I second @shuishuijiao's request to add documentation, including best practices, on how to obfuscate a multimodule Gradle Kotlin Spring Boot project. There are many things to consider, and this effort cost us more than two weeks of effort. We are still not 100% confident we nailed the best practices. It seems to work, but we're pretty nervous about using our obfuscated Spring Boot jar.

As the pendulum swings away from cloud deployments toward edge-based, on-prem solutions, I think you can expect to see more and more ProGuard users obfuscating in this environment.

@mrjameshamilton
Copy link
Contributor

Hi @matthewadams !

Good to hear that you've successfully integrated ProGuard into your Spring Boot application. It's a shame that the Spring folks are not able to add ProGuard to the documentation / Initialzr project.

However, I think the knowledge you've gained in your effort to integrate ProGuard in your project could be extremely useful for you to share with others. We'd be happy to accept PRs for updating the Spring sample to a more modern sample, or adding some extra documentation to the manual. You could also share your knowledge in a post on the ProGuard community.

@matthewadams
Copy link
Author

Having you suggest that we simply submit a PR is not what I had in mind. I was basically requesting that you work with the Spring team to document The Way™️. We do not have any confidence that what we've implemented reflects best practices, or will even work in general. We wasted much time on this, and don't really have the bandwidth to create a sample Spring Boot Gradle Kotlin multiproject that illustrates what we needed to do adequately. We'd consider a quick meeting with you to show you what we've done, but that's about the extent of it until we exit the lean startup phase (if ever).

There will be in increasing number of these use cases as edge computing offerings increase in number, and I'd think you'd see that the work effort to do this as your opportunity to capture more market share by lowering the barrier to entry for using ProGuard with Spring Boot applications. Feel free to close if you're not interested.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants