<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

</head>

<body>

<style type="text/css" style="display:none;"><!-- P {margin-top:0;margin-bottom:0;} --></style>

<div id="divtagdefaultwrapper" style="font-size:12pt;color:#000000;font-family:Garamond,Georgia,serif;" dir="ltr">

<p>Hi Yasser,</p>

<p><br>

</p>

<p>> <font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><span style="font-size:16px;">Given

 only a single GAV (e.g., G1:A1:V1), is there a reliable way (tool/technique) to determine the complete set of GAVs that were published as part of the same upstream release? In other words, starting with G1:A1:V1, how do I discover “all other GAVs that were

 released together with it” so I can compare them with the outputs of my local build?</span></font></p>

<p><br>

</p>

<p>I do understand your question better now. Thanks for elaboration :)</p>

<p>I had the same question when I was analyzing data in the reproducible central dataset. I wanted to present the reproducibility per GAV and not per source project. Thus, I needed to split the rebuilt artifacts from a source project into multiple GAVs. </p>

<p><br>

</p>

<p>> <font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><span style="font-size:16px;"><font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><span style="font-size:16px;">Inspect

 the POM of G1:A1:V1: </span></font></span></font></p>

<ul style="margin:0.75em 0;padding:0;border:0 solid #161513;">

<li style="margin:0.5em 0;padding:0;border:0 solid #161513;"><font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";">Walk

 up the parent POM chain to locate the reactor root or a POM with a section.</font></font></li><li style="margin:0.5em 0;padding:0;border:0 solid #161513;"><font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";">From

 the root POM, enumerate modules and map them to expected GAVs at that version, then verify presence on Central (to exclude reactor-only or non-published modules).</font></font></li></ul>

<p></p>

<p><br>

</p>

<p>I built a tool <a href="https://github.com/chains-project/maven-module-graph" class="OWAAutoLink">

maven-module-graph</a> that does this. It takes in the root pom (along with the entire source of Maven project) and returns all the submodules in the project. I used this tool first get a list of GAVs and then based on the artifact ID, I mapped the unreproducible

 artifact which looks <a href="https://github.com/chains-project/reproducible-central/blob/master/java/unreproducible_gradle_projects_to_releases.json" class="OWAAutoLink">

something like this</a>. Here are the commands to try it out.</p>

<p><br>

</p>

<p></p>

<pre>./gradlew build

java -jar build/libs/maven-module-graph-1.0-SNAPSHOT.jar \

  --project-root <span class="pl-k"><</span>path/to/maven/project/root<span class="pl-k">></span> \

  --json <span class="pl-k"><</span>path/to/output.json<span class="pl-k">></span> \

  --plain-text <span class="pl-k"><</span>path/to/output.txt<span class="pl-k">></span></pre>

<br>

<p></p>

<p><br>

</p>

<p>I have motivated in the README why I built this tool, but basically starting up the maven reactor to discover all the submodules was too slow for me (even though it would be more correct in edge cases such as pom file named differently than pom.xml).</p>

<p><br>

</p>

<p>> <font face="Oracle Sans,-apple-system,system-ui,Segoe UI,Helvetica Neue,Arial,sans-serif" size="2" color="#161513" style="font-family: Oracle Sans, -apple-system, system-ui, Segoe UI, Helvetica Neue, Arial, sans-serif, serif, "EmojiFont";"><span style="font-size:16px;">then

 verify presence on Central (to exclude reactor-only or non-published modules).</span></font></p>

<p><br>

</p>

<p>I include all the GAVs in all profiles by default. If you want to exclude, add `<span>--exclude-profiles</span>`. However, verification of presence is indeed a good heuristic.</p>

<p><br>

</p>

<div id="Signature">

<div id="divtagdefaultwrapper" dir="ltr" style="font-size: 12pt; color: rgb(0, 0, 0); font-family: Calibri, Helvetica, sans-serif, "EmojiFont", "Apple Color Emoji", "Segoe UI Emoji", NotoColorEmoji, "Segoe UI Symbol", "Android Emoji", EmojiSymbols;">

<div id="m_4935352394101912768Signature">

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><span id="divtagdefaultwrapper" style="font-size:12pt">

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Regards,</span></div>

<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Aman Sharma</span></div>

</span><br>

</span></font></div>

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"></span><span class="im">PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><a href="http://www.kth.se" target="_blank" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"></a></span></font></div>

</div>

<a href="https://www.kth.se/profile/amansha" class="OWAAutoLink" id="LPNoLP"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" class="OWAAutoLink" id="LPNoLP">https://algomaster99.github.io/</a><br>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> yasser lazrek <lazrekyasser1998@gmail.com><br>

<b>Sent:</b> Monday, September 1, 2025 1:17:30 PM<br>

<b>To:</b> General discussions about reproducible builds<br>

<b>Cc:</b> Aman Sharma<br>

<b>Subject:</b> Re: Reproducing a Maven Central Release from a single GAV coordinate</font>

<div> </div>

</div>

<div>

<div dir="ltr">

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Hello Aman and William,</p>

<div class="gmail-my-2" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Thank you for the response. I think I didn’t explain my goal clearly—let me restate it with more context.   </p>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Context and goal</p>

<ul dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;list-style-position:initial;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

<li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

I’m following a top-down, build-from-source approach for Java projects. When building Project_X, I sometimes need to rebuild one of its dependencies, say G1:A1:V1, from source.</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

From that single GAV, tools like AROMA can often find the upstream repo URL and tag/commit for the source.</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

However, a single upstream “release” (reactor build) can publish multiple modules/artifacts. Depending on the build environment or command, the set of produced GAVs can differ (e.g., one build produces G1:Aroot:V1, G1:A1:V1, G1:A2:V1, G1:A3:V1; another build

 command produce an extra G1:A4:V1).</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

To verify I reproduced the correct release, I want to compare:

<ol start="1" dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.75em 0px;padding:0px;list-style-position:initial">

<li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

the set of GAVs produced by my local build, with</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

the set of GAVs that were actually published upstream on Maven Central for that same release.</li></ol>

</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Only after the “set equality” check -the number of GAVs produced on my local are the same as the number of GAVs on upstream Maven Central- and then proceed to byte-for-byte checks (POMs, jars, classes, etc.).</li></ul>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

 </p>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

The question: Given only a single GAV (e.g., G1:A1:V1), is there a reliable way (tool/technique) to determine the complete set of GAVs that were published as part of the same upstream release? In other words, starting with G1:A1:V1, how do I discover “all other

 GAVs that were released together with it” so I can compare them with the outputs of my local build?</p>

<div class="gmail-my-2" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

What I’ve considered</p>

<ul dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;list-style-position:initial;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

<li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Query Maven Central for all artifacts with the same groupId and version (e.g., g:"G1" AND v:"V1") to list potential siblings of G1:A1:V1. This works when a multi-module release uses a common groupId and version, but not always (some projects split across groupIds

 or use different version schemes).</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Inspect the POM of G1:A1:V1:

<ul dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.75em 0px;padding:0px;list-style:disc">

<li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Walk up the parent POM chain to locate the reactor root or a POM with a section.</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

From the root POM, enumerate modules and map them to expected GAVs at that version, then verify presence on Central (to exclude reactor-only or non-published modules).</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Use the tag (url/tag) to correlate modules in the same repo/tag and confirm which ones were actually published.</li></ul>

</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Use APIs/indexes (e.g., <a href="http://search.maven.org">search.maven.org</a>) to enumerate artifacts and classifiers for a group/version, then reconcile with modules found via POM/SCM.</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Reference projects like jvm-repo-rebuild/reproducible-central for patterns, but I’m specifically looking for a way to derive the “release set” starting from one known GAV.</li></ul>

<div class="gmail-my-2" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

What I’m asking for</p>

<ul dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;list-style-position:initial;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

<li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Are there existing tools or established techniques that, given a single GAV, can reliably enumerate the full set of GAVs that were published with it in the same upstream release?</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

If not, are the heuristics above (groupId+version query, parent-POM/module traversal, SCM tag correlation, and Central presence checks) the recommended approach?</li><li class="gmail-text-start" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0.5em 0px;padding:0px;text-align:start">

Any pointers to tooling, scripts, or best practices you’d suggest for this “release set discovery” step would be very helpful.</li></ul>

<div class="gmail-my-2" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Thank you for your guidance!</p>

<div class="gmail-my-2" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Best regards, Yasser Lazrek</p>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

 </p>

</div>

<br>

<div class="gmail_quote gmail_quote_container">

<div dir="ltr" class="gmail_attr">Le ven. 29 août 2025 à 19:05, Aman Sharma via rb-general <<a href="mailto:rb-general@lists.reproducible-builds.org">rb-general@lists.reproducible-builds.org</a>> a écrit :<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div>

<div id="m_5538609325712054072divtagdefaultwrapper" style="font-size:12pt;color:rgb(0,0,0);font-family:Garamond,Georgia,serif" dir="ltr">

<p>Hi Yasser,</p>

<p><br>

</p>

<p>> <b style="color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,system-ui,"Segoe UI","Helvetica Neue",Arial,sans-serif,serif,EmojiFont;font-size:16px">Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were

 included in the upstream release of that single GAV?</b></p>

<p><br>

</p>

<p>This sounds to me that you are interested about getting all the dependencies of that single GAV in order to build an identical jar. But to reproduce the jar, you don't need to explicitly gather all the list of dependencies. You identify the source code of

 the project and build it using a Java build tool. The build tool gathers the dependencies for you.</p>

<p><span style="font-size:12pt"><br>

</span></p>

<p><span style="font-size:12pt">Infrastructure like <a href="https://github.com/jvm-repo-rebuild/reproducible-central" target="_blank">https://github.com/jvm-repo-rebuild/reproducible-central</a> does the same thing. Refer to

<a href="https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/trino/trino-446.buildspec" target="_blank">

one of the <u>buildspec</u></a><u></u> files that it has. It is basically a build recipe for reproducing the build.</span></p>

<div id="m_5538609325712054072Signature">

<div id="m_5538609325712054072divtagdefaultwrapper" dir="ltr" style="font-size:12pt;color:rgb(0,0,0);font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<div id="m_5538609325712054072m_4935352394101912768Signature">

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)"><span id="m_5538609325712054072divtagdefaultwrapper" style="font-size:12pt">

<div style="margin-top:0px;margin-bottom:0px"><br>

</div>

<div style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:Garamond,Georgia,serif">Regards,</span></div>

<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>

<div style="margin-top:0px;margin-bottom:0px"><span style="color:rgb(0,0,0);font-family:Garamond,Georgia,serif">Aman Sharma</span></div>

</span><br>

</span></font></div>

<div name="divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)"></span><span>PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif;background-color:rgb(255,255,255)"><a href="http://www.kth.se" id="m_5538609325712054072LPNoLP" target="_blank"></a><a href="https://www.kth.se/profile/amansha" id="m_5538609325712054072LPNoLP" target="_blank"></a><a href="https://www.kth.se/profile/amansha" id="m_5538609325712054072LPNoLP" target="_blank"></a></span></font></div>

</div>

<a href="https://www.kth.se/profile/amansha" id="m_5538609325712054072LPNoLP" target="_blank"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" id="m_5538609325712054072LPNoLP" target="_blank">https://algomaster99.github.io/</a><br>

</div>

</div>

</div>

<hr style="display:inline-block;width:98%">

<div id="m_5538609325712054072divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> rb-general <<a href="mailto:rb-general-bounces@lists.reproducible-builds.org" target="_blank">rb-general-bounces@lists.reproducible-builds.org</a>>

 on behalf of William Burton via rb-general <<a href="mailto:rb-general@lists.reproducible-builds.org" target="_blank">rb-general@lists.reproducible-builds.org</a>><br>

<b>Sent:</b> Friday, August 29, 2025 12:45:39 PM<br>

<b>To:</b> General discussions about reproducible builds<br>

<b>Cc:</b> William Burton<br>

<b>Subject:</b> Re: Reproducing a Maven Central Release from a single GAV coordinate</font>

<div> </div>

</div>

<div>

<div dir="ltr">Hi Yasser,

<div><br>

</div>

<div>This is the focused goal of <a href="https://github.com/jvm-repo-rebuild/reproducible-central" target="_blank">https://github.com/jvm-repo-rebuild/reproducible-central</a> so that's definitely a good place to start!<br>

<br>

Additionally, our project (website: <a href="https://oss-rebuild.dev/" target="_blank">

https://oss-rebuild.dev/</a> source: <a href="https://github.com/google/oss-rebuild" target="_blank">https://github.com/google/oss-rebuild</a>) is in the process of adding Maven support which will probably leverage reproducible-central in some ways. That's

 in addition to our other supported ecosystems like npm, crates, and pypi.<br>

<br>

Comparing the two, I'd say reproducible-central is a good place to dig in on technical details about how/why certain GAVs are reproducible or not, while OSS Rebuild is a little more "batteries included" by producing signed attestations and ecosystem-agnostic

 support tooling. There's collaboration across the two projects so I don't think you can go wrong either way :)</div>

</div>

<div dir="ltr"><br>

<div></div>

</div>

<br>

<div class="gmail_quote">

<div dir="ltr" class="gmail_attr">On Fri, Aug 29, 2025 at 11:50 AM yasser lazrek <<a href="mailto:lazrekyasser1998@gmail.com" target="_blank">lazrekyasser1998@gmail.com</a>> wrote:<br>

</div>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">

<div dir="ltr">

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px 0px 1.25em;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Hello,</p>

<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

As part of a build-from-source initiative, I am working on a top-down strategy to build project dependencies from source. Often, when trying to build a particular dependency, the only information available is its Maven GAV (Group ID, Artifact ID, and Version)

 coordinate.</p>

<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

My question is: <span style="box-sizing:border-box;border-width:0px;border-style:solid;margin:0px;padding:0px;font-weight:600">Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were included in the upstream release

 of that single GAV?</span> The goal is to reproduce the released binary artifact by building from the upstream source (using its repository URL and a specific commit hash or release tag), and to ensure that the output matches exactly what was published on

 Maven Central.</p>

<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Are there recommended tools or best practices to trace the complete set of artifacts and metadata associated with an original Maven Central release that can cover the majority of artifacts(GAVs) on Maven Central, solely from its GAV? Any advice or pointers

 would be greatly appreciated.</p>

<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Thank you for your insights!</p>

<div style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

</div>

<p dir="auto" style="box-sizing:border-box;border:0px solid rgb(22,21,19);margin:1.25em 0px;padding:0px;color:rgb(22,21,19);font-family:"Oracle Sans",-apple-system,"system-ui","Segoe UI","Helvetica Neue",Arial,sans-serif;font-size:16px">

Best regards,</p>

</div>

</blockquote>

</div>

</div>

</div>

</blockquote>

</div>

</div>

</body>

</html>