Rebuilding and checking Reproducible Builds from Maven Central repository

Julien Lepiller julien at
Sat Mar 7 12:15:25 UTC 2020

Le 7 mars 2020 05:59:14 GMT-05:00, "Hervé Boutemy" <hboutemy at> a écrit :
>I've been silent for a few months, but not inactive :)
>Here are the big news:
>1. since the release of Apache parent POM version 23 in january, every
>Apache project using Maven inheriting from this release should have
>reproducible builds: this is the case for every Maven component release
>done since then, but also Apache Sling, or Apache Nifi
>2. I just launched a discussion on Maven developers list [1] to discuss
>an easy way to rebuild and check the output of such releases
>If you are interested, please join the discussion: this is a key step
>for upstream projects using the JVM to check that their releases
>published to Maven Central are reproducible.
>I hope that in the future:
>- other build tools than Maven will provide equivalent tooling (not
>only to produce reproducible output but also ease checking, which is
>until now painful)
>- we'll discuss a way for rebuilders of Maven Central content to share
>their results

Quick question, since I'm trying to create a bootstrapped maven build system for guix. I noticed two files are created: _remote.repositories and two maven-metadata-local.xml with obvious timestamps. What are these files, and can I remove them safely?

More information about the rb-general mailing list