Rebuilding and checking Reproducible Builds from Maven Central repository
Hervé Boutemy
hboutemy at apache.org
Sat Mar 7 17:27:25 UTC 2020
Le samedi 7 mars 2020, 13:15:25 CET Julien Lepiller a écrit :
[...]
> Quick question, since I'm trying to create a bootstrapped maven build system
> for guix. I noticed two files are created: _remote.repositories and two
> maven-metadata-local.xml with obvious timestamps. What are these files, and
> can I remove them safely?
_remote.repositories: with Maven 3.0.x, when an artifact is downloaded from a repository, maven leaves a _maven.repositories file to record where the file was resolved from.
see https://stackoverflow.com/questions/16866978/maven-cant-find-my-local-artifacts for more details
maven-metadata-<repoid>.xml is the result of a download from a remote repository: see https://maven.apache.org/ref/current/maven-repository-metadata/
removing these files can change subtle resolution behaviour for edge cases, but to be short, for bootstrapping a repoducible build (then not using version ranges, that are inherently not reproducible), I'd say you can remove these files
Regards,
Hervé
More information about the rb-general
mailing list