[rb-general] [jvm] How to share rebuilder attestations

Eli Schwartz eschwartz at archlinux.org
Sun Jan 13 03:31:53 CET 2019

On 1/12/19 1:06 PM, Hervé Boutemy wrote:
> thank you, very instructive: if someone can provide equivalent links for 
> Debian please, this would be great
> there is one thing I didn't find though: where are buildinfo files?
> one very interesting part is your PKGBUILD files, that contain the recipe for 
> building the software then the package, and is a shell script file, with 
> properties to define prerequisites
> IMHO this is one thing where our current work on buildinfo files for the JVM 
> will require some work: the recipe for building is in the buildinfo and 
> implicit.
> There is also the difference between "depends" and "makedepends", with depends 
> containing a range like "java-environment>=7", but makedepends defining a 
> concrete major version "java-environment=8".

Our buildinfo is embedded in the build artifacts and documented here:

(We only support the latest version for each major java release, and we
automatically build with the latest supported version unless pinned to
an older one. So we can get away with this...)

I'd provide you a slightly more canonical link from

Except that when looking for the manpage I discovered not only is the
website not updated, but also there is a bug in the build system which
would result in specifically the BUILDINFO file being missing. I've
submitted patches to fix this though. :D

>>> yes, using external server to download dependencies is a default
>>> behaviour,
>>> but if someone wants to override to get his own artifact repository
>>> instead, you can do it with parameters (at least with Maven, but I
>>> suppose every build tool can)
>> Is this something that could be packaged and then referenced as a
>> directory path?
> yes, using settings.xml mirror
> https://maven.apache.org/ref/3.6.0/maven-settings/settings.html
> By doing so you'll discover the bunch of binaries you're downloading, both as 
> plugins during the build but also tool dependencies that are then bundled in 
> your package (for example in Maven every file lib/ that is not named maven-
> *.jar): you'll discover real dependencies that would ideally have to be built 
> from sources

Neat, I'll need to try this out sometime, maybe ask our java maintainers
if this is something we can do regularly.

Eli Schwartz
Bug Wrangler and Trusted User

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20190112/418da88d/attachment.sig>

More information about the rb-general mailing list