Rebuilding and checking Reproducible Builds from Maven Central repository
Julien Lepiller
julien at lepiller.eu
Sat Mar 7 12:15:25 UTC 2020
Le 7 mars 2020 05:59:14 GMT-05:00, "Hervé Boutemy" <hboutemy at apache.org> a écrit :
>Hi,
>
>I've been silent for a few months, but not inactive :)
>
>Here are the big news:
>
>1. since the release of Apache parent POM version 23 in january, every
>Apache project using Maven inheriting from this release should have
>reproducible builds: this is the case for every Maven component release
>done since then, but also Apache Sling, or Apache Nifi
>
>2. I just launched a discussion on Maven developers list [1] to discuss
>an easy way to rebuild and check the output of such releases
>
>If you are interested, please join the discussion: this is a key step
>for upstream projects using the JVM to check that their releases
>published to Maven Central are reproducible.
>
>I hope that in the future:
>- other build tools than Maven will provide equivalent tooling (not
>only to produce reproducible output but also ease checking, which is
>until now painful)
>- we'll discuss a way for rebuilders of Maven Central content to share
>their results
>
>Regards,
>
>Hervé
>
>[1]
>https://lists.apache.org/thread.html/ra05a971a2de961d27691bd4624850a06a862b4223116c0c904be8397%40%3Cdev.maven.apache.org%3E
Quick question, since I'm trying to create a bootstrapped maven build system for guix. I noticed two files are created: _remote.repositories and two maven-metadata-local.xml with obvious timestamps. What are these files, and can I remove them safely?
More information about the rb-general
mailing list