<div dir="ltr">Hi Yasser,<div><br></div><div>This is the focused goal of <a href="https://github.com/jvm-repo-rebuild/reproducible-central">https://github.com/jvm-repo-rebuild/reproducible-central</a> so that's definitely a good place to start!<br><br>Additionally, our project (website: <a href="https://oss-rebuild.dev/">https://oss-rebuild.dev/</a> source: <a href="https://github.com/google/oss-rebuild">https://github.com/google/oss-rebuild</a>) is in the process of adding Maven support which will probably leverage reproducible-central in some ways. That's in addition to our other supported ecosystems like npm, crates, and pypi.<br><br>Comparing the two, I'd say reproducible-central is a good place to dig in on technical details about how/why certain GAVs are reproducible or not, while OSS Rebuild is a little more "batteries included" by producing signed attestations and ecosystem-agnostic support tooling. There's collaboration across the two projects so I don't think you can go wrong either way :)</div></div><div dir="ltr"><br><div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Aug 29, 2025 at 11:50 AM yasser lazrek <<a href="mailto:lazrekyasser1998@gmail.com" target="_blank">lazrekyasser1998@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px 0px 1.25em;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">Hello,</p><div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px"></div><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">As part of a build-from-source initiative, I am working on a top-down strategy to build project dependencies from source. Often, when trying to build a particular dependency, the only information available is its Maven GAV (Group ID, Artifact ID, and Version) coordinate.</p><div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px"></div><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">My question is: <span style="box-sizing:border-box;border-width:0px;border-style:solid;margin:0px;padding:0px;font-weight:600">Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were included in the upstream release of that single GAV?</span> The goal is to reproduce the released binary artifact by building from the upstream source (using its repository URL and a specific commit hash or release tag), and to ensure that the output matches exactly what was published on Maven Central.</p><div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px"></div><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">Are there recommended tools or best practices to trace the complete set of artifacts and metadata associated with an original Maven Central release that can cover the majority of artifacts(GAVs) on Maven Central, solely from its GAV? Any advice or pointers would be greatly appreciated.</p><div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px"></div><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">Thank you for your insights!</p><div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px"></div><p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">Best regards,</p></div>
</blockquote></div>