Verifying reproducibility of Java builds from Maven Central

[Railean, Alexander]

Hi everybody,



I am trying to understand how someone can independently verify the reproducibility of Java projects on Maven Central. Having explored the repositories on Maven Central, I could not find examples where the "buildinfo" file was present.



The archives of this mailing list pointed out examples such as https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo, and yet my understanding is that this is not enough [but why?], hence reproducible-central was created to address some sort of gap.



So far, my mental model is that:

*       By including buildinfo in the artifacts on Maven Central, library authors empower users to check for themselves if the build is reproducible or not.
*       Reproducible-central takes it a step further and attempts to do a build and then gives you a "yes/no" result.



Thus, the former makes the problem solvable in principle, whereas the latter actually solves it. Is my understanding is correct?





Besides that, I have some additional questions:

1. Can you provide references to documentation that explains how to make sure buildinfo ends up on Maven Central?

2. Is there a tutorial that describes how to get featured on Reproducible Central?





I had a look at https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md, and my understanding is that this is not working for projects built on Windows, because it relies on rebuild.sh, which implies one has bash. The library I publish on Maven Central is built on a Windows computer - does this mean that I won't be able to list it in reproducible-builds?







Looking forward to your feedback,

Alex

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240328/316692eb/attachment.htm>