release of maven-lockfile
Elias Lundell
ellundel at kth.se
Wed Nov 20 14:00:58 UTC 2024
Thank you for highlighting this feature!
It is related to maven-lockfile<https://github.com/chains-project/maven-lockfile/>. Here is a summary of my comparison of the two tools:
>From my testing I found two main advantages for trusted checksums:
+ It is builtin to maven and require no additional downloads.
+ It captures the checksums of maven plugins that are run (e.g. maven-compiler-plugin, etc).
The main uniques features of maven-lockfile:
+ Creates a pom containing specific version of both dependencies and transitive dependencies to download locked versions. This enables re-building the exact same version
+ Includes essential environment information such as java and maven version
I think it would be a good idea to combine the tools to enable automatic verification on build/tests. The integrity part of the maven-lockfile is handled very well by trusted checksums. However, the :freeze function of maven-lockfile is missing in trusted-checksum. If the `pom.xml` contains a version-range and a new version is downloaded the trusted checksums would fail, and there would be quite a lot of manual work to get the project running, especially if it is a transitive dependency that has changed.
Best,
Elias Lundell
________________________________
From: rb-general <rb-general-bounces at lists.reproducible-builds.org> on behalf of John Neffenger <john at status6.com>
Sent: Friday, September 27, 2024 5:29:36 PM
To: Reproducible Builds List
Subject: Re: release of maven-lockfile
On 9/27/24 1:20 AM, Martin Monperrus wrote:
> To generate a lock file, run the following command:
> $ mvn io.github.chains-project:maven-lockfile:generate
I just discovered yesterday that Maven 3.9.2 or later now has support
for dependency and plugin verification built in! It's called "Trusted
Checksums," and it's rather poorly documented for the moment. It's very
similar to how the Gradle dependency verification works.
There's a demonstration project here:
Trusted Checksums Demo
https://github.com/cstamas/tc-demo
Some unhelpful Maven documentation is here:
Trusted Checksums
https://maven.apache.org/resolver/expected-checksums.html#trusted-checksums
There's a more helpful Stack Overflow answer here:
How to use Maven Resolver "Trusted Checksums" to ensure artifact integrity?
https://stackoverflow.com/q/78746427
I added it to my Maven project by setting the following command-line
options in my project's '.mvn/maven.config' file:
------------------------------------------------------------------------
$ cat .mvn/maven.config
--strict-checksums
-Daether.trustedChecksumsSource.summaryFile=true
-Daether.trustedChecksumsSource.summaryFile.basedir=${session.rootDirectory}/.mvn/checksums/
-Daether.artifactResolver.postProcessor.trustedChecksums=true
-Daether.artifactResolver.postProcessor.trustedChecksums.checksumAlgorithms=SHA-512
-Daether.artifactResolver.postProcessor.trustedChecksums.failIfMissing=true
------------------------------------------------------------------------
Then I recorded the SHA-512 checksums just once with:
------------------------------------------------------------------------
$ mvn clean verify
-Daether.artifactResolver.postProcessor.trustedChecksums.record
------------------------------------------------------------------------
After that, when anyone builds my project, the checksums for all 379
dependencies and plugins are verified:
------------------------------------------------------------------------
$ mvn clean package
...
[INFO] Loaded 379 trusted checksums from
/home/john/src/pub/hello-java/.mvn/checksums/checksums-central.sha512
...
[INFO] BUILD SUCCESS
------------------------------------------------------------------------
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20241120/cc3ed186/attachment.htm>
More information about the rb-general
mailing list