Rebuilding and checking Reproducible Builds from Maven Central repository
Hervé Boutemy
hboutemy at apache.org
Sat Mar 7 10:59:14 UTC 2020
Hi,
I've been silent for a few months, but not inactive :)
Here are the big news:
1. since the release of Apache parent POM version 23 in january, every Apache project using Maven inheriting from this release should have reproducible builds: this is the case for every Maven component release done since then, but also Apache Sling, or Apache Nifi
2. I just launched a discussion on Maven developers list [1] to discuss an easy way to rebuild and check the output of such releases
If you are interested, please join the discussion: this is a key step for upstream projects using the JVM to check that their releases published to Maven Central are reproducible.
I hope that in the future:
- other build tools than Maven will provide equivalent tooling (not only to produce reproducible output but also ease checking, which is until now painful)
- we'll discuss a way for rebuilders of Maven Central content to share their results
Regards,
Hervé
[1] https://lists.apache.org/thread.html/ra05a971a2de961d27691bd4624850a06a862b4223116c0c904be8397%40%3Cdev.maven.apache.org%3E
More information about the rb-general
mailing list