[Git][reproducible-builds/reproducible-website][master] target is rebuild attestation

Chris Lamb (@lamby) gitlab at salsa.debian.org
Sat Mar 8 10:29:55 UTC 2025 


Chris Lamb pushed to branch master at Reproducible Builds / reproducible-website


Commits:
0357fc3b by Hervé Boutemy at 2025-03-07T21:56:26+00:00
target is rebuild attestation
- - - - -


1 changed file:

- _docs/jvm.md


Changes:

=====================================
_docs/jvm.md
=====================================
@@ -42,7 +42,7 @@ Tasks which generate archives, such as ZIPs or JARs, can enforce preserved file
 When using [sbt](https://www.scala-sbt.org/), a build tool popular with Scala projects, you can use the
 [sbt-reproducible-builds](https://github.com/raboof/sbt-reproducible-builds) plugin to strip your artifacts and share buildinfo information.
 
-## `.buildinfo` file
+### `.buildinfo` file
 
 JVM `.buildinfo` file format is a format drafted in 2018 when working initially on Reproducible Builds for the JVM, to try to record
 full build info data, from source and environment used to rebuild to output result: its intent was to easily compare 2 builds run by independant people.
@@ -50,32 +50,34 @@ full build info data, from source and environment used to rebuild to output resu
 After 3 years of work on Reproducible Builds, it has been found more useful as an internal file format: Reproducible Central and its
 `.buildspec` format is more what we need to check that Reproducible Builds results has been achieved. `.buildinfo` just records a build, be it reproducible or not.
 
-Buildinfo file format version 1.0-SNAPSHOT is kept here for reference on past work. It uses [Java properties format](https://en.wikipedia.org/wiki/.properties):
+In the future, we'll probably define a rebuild attestation specification that will better serve the purpose.
 
-```
-#### Work In Progress ####
-buildinfo.version=1.0-SNAPSHOT
+<details><summary>buildinfo details (deprecated)</summary>
+
+<p>Buildinfo file format version 1.0-SNAPSHOT is kept here for reference on past work. It uses <a href="https://en.wikipedia.org/wiki/.properties">Java properties format</a>:</p>
 
-name=<name of the artifact>
-group-id=<groupId coordinates in repository>
-artifact-id=<artifactId coordinates in repository>
-version=<version coordinates in repository>
+<div class="highlight"><pre class="highlight"><code>#### Deprecated ####
+buildinfo.version=1.0-SNAPSHOT
+name=<name of the artifact>
+group-id=<groupId coordinates in repository>
+artifact-id=<artifactId coordinates in repository>
+version=<version coordinates in repository>
 
 # source information for rebuilders, as source tarball artifact in repository and/or url and/or scm coordinates
-source.artifact=<groupId>:<artifactId>:<version>:<classifier>:<extension>
-source.url=<url where to download official source tarball>
-source.scm.uri=<source control uri, typically corresponding to the project.scm.developerConnection or project.scm.connection in the pom.xml>
-source.scm.tag=<source control tag as in pom.xml>
+source.artifact=<groupId>:<artifactId>:<version>:<classifier>:<extension>
+source.url=<url where to download official source tarball>
+source.scm.uri=<source control uri, typically corresponding to the project.scm.developerConnection or project.scm.connection in the pom.xml>
+source.scm.tag=<source control tag as in pom.xml>
 
 # build instructions
-build-tool=<mvn|sbt|...>
-build.setup=<optional url of documentation explaining specific additional setup when necessary: will be enhanced in a future buildinfo format version>
+build-tool=<mvn|sbt|...>
+build.setup=<optional url of documentation explaining specific additional setup when necessary: will be enhanced in a future buildinfo format version>
 
 # effective recorded build environment information
-java.version=<Java version taken from "java.version" system property>
-java.vendor=<Java vendor taken from "java.vendor" system property>
-os.name=<Operating System name taken from "os.name" system property>
-source.used=<artifact|url|scm, depending on which has been used for the build>
+java.version=<Java version taken from "java.version" system property>
+java.vendor=<Java vendor taken from "java.vendor" system property>
+os.name=<Operating System name taken from "os.name" system property>
+source.used=<artifact|url|scm, depending on which has been used for the build>
 
 # Each build tool or plugin is free to add additional entries to the buildinfo,
 # both for build instructions and effective recorded build environment.
@@ -85,23 +87,17 @@ scala.version=2.12.6
 
 # and Maven could add data on rebuild instructions and effective recorded environment:
 mvn.rebuild-args=-Dmaven.test.skip package
-mvn.build-root=<groupId>:<artifactId>:<version>
+mvn.build-root=<groupId>:<artifactId>:<version>
 mvn.version=Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)
-mvn.minimum.version=<minimum Maven version to rebuild if known>
+mvn.minimum.version=<minimum Maven version to rebuild if known>
 
 # A buildinfo file can contain checksums for multiple output files, for
 # example for the main jar and the accompanying pom.xml (when generated):
-outputs.0.filename=<file name in the repository, ${artifactId}-${version}[-${classifier}].${extension}>
-outputs.0.length=<file size>
-outputs.0.checksums.sha512=<sha512 lowercase>
-outputs.1.filename=<file name in the repository>
-outputs.1.length=<file size>
-outputs.1.checksums.sha512=<sha512 lowercase>
+outputs.0.filename=<file name in the repository, ${artifactId}-${version}[-${classifier}].${extension}>
+outputs.0.length=<file size>
+outputs.0.checksums.sha512=<sha512 lowercase>
+outputs.1.filename=<file name in the repository>
+outputs.1.length=<file size>
+outputs.1.checksums.sha512=<sha512 lowercase>
 ...
-```
-
-Notice that `${artifactId}-${version}-sources.jar` files published in Maven repositories are not buildable sources, but [sources for IDEs](https://central.sonatype.org/pages/requirements.html#supply-javadoc-and-sources).
-
-Source tarballs, intended for building, are not always published in repositories but only sometimes, with 2 classical naming conventions:
-- `${artifactId}-${version}-source-release.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:source-release))
-- `${artifactId}-${version}-src.zip` (see [artifacts in Central providing such source tarballs](https://search.maven.org/search?q=l:src))
+</code></pre></div>



View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0357fc3b7b094ef1b8df74176a6b24feb5c40bec

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/reproducible-website/-/commit/0357fc3b7b094ef1b8df74176a6b24feb5c40bec
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250308/eace6607/attachment.htm>

More information about the rb-commits mailing list