OF-2877 Reproducible builds

[stokito]

Pin the build timestamp and disable Built-By, Created-By and Build-Jdk-Spec fields from generated manifest. The Maven JAR plugin is updated to latest version that has the new option addDefaultEntries

https://igniterealtime.atlassian.net/browse/OF-2877

[stokito]

Note: I also changed the plugins parent pom so plugins jars also should have the manifest without generated fields.

[guusdk]

Can/should we modify the static dates that are introduced in this PR with one that is more tied to the state of the code, like the date of the last commit, or something?

Some of these changes are likely going to confuse future developers ("This date shouldn't be static! Lets make it a variable!"). Can you please add a reference to OF-2877 in the comments that you've already added. That will help people find more of the background of this change.

[stokito]

yes, we can use the git commit date https://maven.apache.org/guides/mini/guide-reproducible-builds.html#faq
It looks like we already have the git-commit-id-plugin but with a different group id pl.project13.maven.

The timestamp is used inside of the JAR as mtime for entries. It looks like it doesn't really used elsewhere and not shown to a user. We may change to 1/1/1970 to make it for anyone to not worried to update it. The comment should be enough.

Also later I noticed that the xmppserver.jar is actually not stable. It contains the Admin Console with JSP files that may (almost) randomly compiled differently. Disassembly show that it may use or not use the early return in generated methods.
Still, now it's much easier to detect such a change. As a partial solution we may extract the admin console to a separate jar (war?). This may be good idea for someone who actually aren't interested in the Admin Console.
I'll back to this on the weekend.