rebuilding Maven Central Repository artifacts: welcome reproducible-central

Arnout Engelen arnout at
Fri Apr 3 12:26:36 UTC 2020

On Fri, Apr 3, 2020 at 1:06 PM Julien Lepiller <julien at> wrote:
> something that could help guix is a relation groupid/artifactid -> source

This is indeed an interesting topic.

Artifacts published under a groupid/artifactid typically have a
pom.xml with an 'scm' section pointing to the sources (for example

I think we might need to be careful not to blindly trust that
information: if we would blindly download those sources and rebuild
them, an attacker could point that 'scm' section to his backdoored
version of the application, and the rebuilder would rebuild them -
backdoor-and-all. Still better than not having that at all, but it
would be a shame if that'd go unnoticed.

When publishing a buildinfo file alongside the other artifacts (like
for example
), that buildinfo also has an scm section. I wonder if we should
define that to be interpreted just as "these are the sources I
happened to build", or stronger as "I assert that this is a correct
source location for the project"?

This could also be one contribution of the fact that
reproducible-central has its own 'buildspec' (e.g.
): introducing that buildspec gives us another source of information
on what the correct location for the sources for that project is - and
when someone uploads a new buildspec, that might be a natural moment
to validate this.

What do you think?


More information about the rb-general mailing list