Verifying reproducibility of Java builds from Maven Central

Thu Mar 28 16:00:10 UTC 2024

On Thu, Mar 28, 2024, at 16:41, Railean, Alexander via rb-general wrote:
> I am trying to understand how someone can independently verify the reproducibility of Java projects on Maven Central. Having explored the repositories on Maven Central, I could not find examples where the “buildinfo” file was present.
Publishing a buildinfo to Maven Central is indeed relatively uncommon.
> The archives of this mailing list pointed out examples such as https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo, and yet my understanding is that this is not enough [but why?], hence reproducible-central was created to address some sort of gap.
>  
> So far, my mental model is that:
>  • By including buildinfo in the artifacts on Maven Central, library authors empower users to check for themselves if the build is reproducible or not.
>  • Reproducible-central takes it a step further and attempts to do a build and then gives you a “yes/no” result.
>  
> Thus, the former makes the problem solvable in principle, whereas the latter actually solves it. Is my understanding is correct? 

Mostly: publishing the buildinfo is optional, it is possible to have a reproducible build without publishing the buildinfo metadata (but you might need some other way to convey the requirements for your build environment). Indeed, reproducible-central has successfully rebuilt many artifacts that haven't published a buildinfo.

> Besides that, I have some additional questions:
> 1. Can you provide references to documentation that explains how to make sure buildinfo ends up on Maven Central?
In the case of Akka, they/we use the https://github.com/raboof/sbt-reproducible-builds/ plugin for the sbt build tool that is used to build Akka.
> 2. Is there a tutorial that describes how to get featured on Reproducible Central?
>  
>  
> I had a look at https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md, and my understanding is that this is not working for projects built on Windows, because it relies on rebuild.sh, which implies one has bash. The library I publish on Maven Central is built on a Windows computer – does this mean that I won’t be able to list it in reproducible-builds?

Hmm, that sounds tricky. However, my experience with Java/Maven is that it is often possible to achieve reproducibility across operating systems: artifacts built on MacOS can often be rebuilt on Linux and vice-versa, so perhaps the same is also true for Windows?

Kind regards,

-- 
Arnout Engelen
Engelen Open Source
https://engelen.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20240328/90462276/attachment.htm>