<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>
<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Garamond,Georgia,serif;" dir="ltr">
<p>Hi Yasser,</p>
<p><br>
</p>
<p>> <b style="color: rgb(22, 21, 19); font-family: "Oracle Sans", -apple-system, system-ui, "Segoe UI", "Helvetica Neue", Arial, sans-serif, serif, EmojiFont; font-size: 16px;">Given just a GAV coordinate, how can I reliably identify the full list of related
 GAVs that were included in the upstream release of that single GAV?</b></p>
<p><br>
</p>
<p>This sounds to me that you are interested about getting all the dependencies of that single GAV in order to build an identical jar. But to reproduce the jar, you don't need to explicitly gather all the list of dependencies. You identify the source code of
 the project and build it using a Java build tool. The build tool gathers the dependencies for you.</p>
<p><span style="font-size: 12pt;"><br>
</span></p>
<p><span style="font-size: 12pt;">Infrastructure like <a href="https://github.com/jvm-repo-rebuild/reproducible-central" class="OWAAutoLink">https://github.com/jvm-repo-rebuild/reproducible-central</a> does the same thing. Refer to
<a href="https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/trino/trino-446.buildspec" class="OWAAutoLink">
one of the <u>buildspec</u></a><u></u> files that it has. It is basically a build recipe for reproducing the build.</span></p>
<div id="Signature">
<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, EmojiFont, "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">
<div id="m_4935352394101912768Signature">
<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><span id="divtagdefaultwrapper" style="font-size:12pt">
<div style="margin-top:0; margin-bottom:0"><br>
</div>
<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Regards,</span></div>
<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>
<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Aman Sharma</span></div>
</span><br>
</span></font></div>
<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"></span><span class="im">PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">
<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><a href="http://www.kth.se" target="_blank" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a></span></font></div>
</div>
<a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" class="OWAAutoLink" id="LPNoLP">https://algomaster99.github.io/</a><br>
</div>
</div>
</div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> rb-general <rb-general-bounces@lists.reproducible-builds.org> on behalf of William Burton via rb-general <rb-general@lists.reproducible-builds.org><br>
<b>Sent:</b> Friday, August 29, 2025 12:45:39 PM<br>
<b>To:</b> General discussions about reproducible builds<br>
<b>Cc:</b> William Burton<br>
<b>Subject:</b> Re: Reproducing a Maven Central Release from a single GAV coordinate</font>
<div> </div>
</div>
<div>
<div dir="ltr">Hi Yasser,
<div><br>
</div>
<div>This is the focused goal of <a href="https://github.com/jvm-repo-rebuild/reproducible-central">https://github.com/jvm-repo-rebuild/reproducible-central</a> so that's definitely a good place to start!<br>
<br>
Additionally, our project (website: <a href="https://oss-rebuild.dev/">https://oss-rebuild.dev/</a> source: <a href="https://github.com/google/oss-rebuild">https://github.com/google/oss-rebuild</a>) is in the process of adding Maven support which will probably
 leverage reproducible-central in some ways. That's in addition to our other supported ecosystems like npm, crates, and pypi.<br>
<br>
Comparing the two, I'd say reproducible-central is a good place to dig in on technical details about how/why certain GAVs are reproducible or not, while OSS Rebuild is a little more "batteries included" by producing signed attestations and ecosystem-agnostic
 support tooling. There's collaboration across the two projects so I don't think you can go wrong either way :)</div>
</div>
<div dir="ltr"><br>
<div></div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Aug 29, 2025 at 11:50 AM yasser lazrek <<a href="mailto:lazrekyasser1998@gmail.com" target="_blank">lazrekyasser1998@gmail.com</a>> wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px 0px 1.25em;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
Hello,</p>
<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
</div>
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
As part of a build-from-source initiative, I am working on a top-down strategy to build project dependencies from source. Often, when trying to build a particular dependency, the only information available is its Maven GAV (Group ID, Artifact ID, and Version)
 coordinate.</p>
<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
</div>
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
My question is: <span style="box-sizing:border-box;border-width:0px;border-style:solid;margin:0px;padding:0px;font-weight:600">Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were included in the upstream release
 of that single GAV?</span> The goal is to reproduce the released binary artifact by building from the upstream source (using its repository URL and a specific commit hash or release tag), and to ensure that the output matches exactly what was published on
 Maven Central.</p>
<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
</div>
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
Are there recommended tools or best practices to trace the complete set of artifacts and metadata associated with an original Maven Central release that can cover the majority of artifacts(GAVs) on Maven Central, solely from its GAV? Any advice or pointers
 would be greatly appreciated.</p>
<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
</div>
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
Thank you for your insights!</p>
<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
</div>
<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">
Best regards,</p>
</div>
</blockquote>
</div>
</div>
</body>
</html>