
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<meta name="Generator" content="Microsoft Exchange Server">

<!-- converted from text --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>

</head>

<body>

<meta content="text/html; charset=UTF-8">

<style type="text/css" style="">

<!--

p

        {margin-top:0;

        margin-bottom:0}

-->

</style>

<div dir="ltr">

<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Garamond,Georgia,serif">

<p>Hi all,</p>

<p><br>

</p>

<p>> <font size="2"><span style="font-size:10pt">And we're also working on a lockfile for

<br>

Maven <a href="https://github.com/chains-project/maven-lockfile" target="_blank" rel="noopener noreferrer" id="LPlnk241110">https://github.com/chains-project/maven-lockfile</a><br>

</span></font></p>

<p><br>

</p>

<p>Just to add to what Benoit said, Trusted checksums and <a href="https://github.com/chains-project/maven-lockfile/" class="x_OWAAutoLink">

maven-lockfile</a> have been compared <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003589.html" class="x_OWAAutoLink">

before</a> in the same thread "<span>release of maven-lockfile</span>" .</p>

<p>Common feature: both record a list of checksums and fail the build if any dependency's checksum cannot be found in either the .sha512 (trusted checksum) or lockfile.json (maven-lockfile).</p>

<p><br>

</p>

<p>One main feature of lockfile is that it helps resolve exact dependencies if the dependencies pom.xml (even transitive) declare version ranges. Other features are listed

<a href="https://github.com/chains-project/maven-lockfile/issues/954#issue-2623808219" class="x_OWAAutoLink">

here</a>:</p>

<p></p>

<ul dir="auto">

<li>Can recreate pom file from lockfile</li><li>Stores lockfile in each submodule individually</li><li>Backwards compatible with older maven versions</li></ul>

<p></p>

<p> </p>

<div id="x_Signature">

<div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:rgb(0,0,0); font-family:Calibri,Helvetica,sans-serif,"EmojiFont","Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols">

<div id="x_m_4935352394101912768Signature">

<div name="x_divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><span id="x_divtagdefaultwrapper" style="font-size:12pt">

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Regards,</span></div>

<span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="color:rgb(0,0,0)"></span><span style="font-family:Garamond,Georgia,serif"></span><span style="font-family:Garamond,Georgia,serif"></span>

<div style="margin-top:0; margin-bottom:0"><span style="color:rgb(0,0,0); font-family:Garamond,Georgia,serif">Aman Sharma</span></div>

</span><br>

</span></font></div>

<div name="x_divtagdefaultwrapper"><font size="2" color="#808080"><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"></span><span class="x_im">PhD Student<br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">KTH Royal Institute of Technology</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

</span><span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">School of Electrical Engineering and Computer Science (EECS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)">Department of Theoretical Computer Science (TCS)</span><br style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif">

<span style="font-family:Arial,"Helvetica Neue",helvetica,sans-serif; background-color:rgb(255,255,255)"><a href="http://www.kth.se" target="_blank" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="x_OWAAutoLink" id="LPNoLP"></a><a href="https://www.kth.se/profile/amansha" class="x_OWAAutoLink" id="LPNoLP"></a></span></font></div>

</div>

<a href="https://www.kth.se/profile/amansha" class="x_OWAAutoLink" id="LPNoLP"><span style="font-size:10pt"></span></a><a href="https://algomaster99.github.io/" class="x_OWAAutoLink" id="LPNoLP">https://algomaster99.github.io/</a><br>

</div>

</div>

</div>

<hr tabindex="-1" style="display:inline-block; width:98%">

<div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> rb-general <rb-general-bounces@lists.reproducible-builds.org> on behalf of Benoit Baudry <benoit.baudry@umontreal.ca><br>

<b>Sent:</b> Friday, December 5, 2025 10:11:14 PM<br>

<b>To:</b> John Neffenger; General discussions about reproducible builds<br>

<b>Cc:</b> Deepika Tiwari; Martin Monperrus; Yogya Gamage<br>

<b>Subject:</b> Re: Unpacking lockfiles in different package managers</font>

<div> </div>

</div>

</div>

<font size="2"><span style="font-size:10pt;">

<div class="PlainText">Thanks John!<br>

<br>

And we're also working on a lockfile for <br>

Maven <a href="https://github.com/chains-project/maven-lockfile">https://github.com/chains-project/maven-lockfile</a><br>

<br>

cheers,<br>

<br>

Benoit<br>

<br>

On 2025-12-05 11:45, John Neffenger wrote:<br>

> AVIS: Courriel externe. Soyez vigilant.<br>

><br>

><br>

> I did a quick check in your document about Maven, and it says:<br>

><br>

>   "Meanwhile, Maven, the other major package manager for Java does not<br>

> have a lockfile at all. We recommend the Maven community to add this<br>

> feature and learn from the best practices to design an informative and<br>

> usable lockfile."<br>

><br>

> There's a secret feature in Maven (secret in that it's *not* at all well<br>

> known) that provides dependency and plugin verification. See my post<br>

> last year for details:<br>

><br>

> release of maven-lockfile<br>

> <a href="https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html">

https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html</a>

<br>

><br>

><br>

> If Lockfiles are, as the paper says, "used to reduce build times; to<br>

> verify the integrity of resolved packages; and to support build<br>

> reproducibility across environments and time," then this<br>

> poorly-documented Maven feature should work as a built-in Lockfile.<br>

><br>

> John<br>

><br>

> On 12/5/25 5:17 AM, Benoit Baudry wrote:<br>

>> Hi everyone,<br>

>><br>

>> We've recently worked on unpacking the various strategies for generating<br>

>> lockfiles in different package manager: "The Design Space of Lockfiles<br>

>> Across Package Managers" <br>

>> <a href="https://arxiv.org/pdf/2505.04834">https://arxiv.org/pdf/2505.04834</a><br>

>><br>

>> Shall this ring a bell don't hesitate to reach out<br>

>><br>

>> cheers!<br>

>><br>

>> Benoit, Yogya, Martin, Deepika<br>

>><br>

><br>

</div>

</span></font>

</body>

</html>