Reproducing a Maven Central Release from a single GAV coordinate
William Burton
williamburton at google.com
Fri Aug 29 16:45:39 UTC 2025
Hi Yasser,
This is the focused goal of
https://github.com/jvm-repo-rebuild/reproducible-central so that's
definitely a good place to start!
Additionally, our project (website: https://oss-rebuild.dev/ source:
https://github.com/google/oss-rebuild) is in the process of adding Maven
support which will probably leverage reproducible-central in some ways.
That's in addition to our other supported ecosystems like npm, crates, and
pypi.
Comparing the two, I'd say reproducible-central is a good place to dig in
on technical details about how/why certain GAVs are reproducible or not,
while OSS Rebuild is a little more "batteries included" by producing signed
attestations and ecosystem-agnostic support tooling. There's collaboration
across the two projects so I don't think you can go wrong either way :)
On Fri, Aug 29, 2025 at 11:50 AM yasser lazrek <lazrekyasser1998 at gmail.com>
wrote:
> Hello,
>
> As part of a build-from-source initiative, I am working on a top-down
> strategy to build project dependencies from source. Often, when trying to
> build a particular dependency, the only information available is its Maven
> GAV (Group ID, Artifact ID, and Version) coordinate.
>
> My question is: Given just a GAV coordinate, how can I reliably identify
> the full list of related GAVs that were included in the upstream release of
> that single GAV? The goal is to reproduce the released binary artifact by
> building from the upstream source (using its repository URL and a specific
> commit hash or release tag), and to ensure that the output matches exactly
> what was published on Maven Central.
>
> Are there recommended tools or best practices to trace the complete set of
> artifacts and metadata associated with an original Maven Central release
> that can cover the majority of artifacts(GAVs) on Maven Central, solely
> from its GAV? Any advice or pointers would be greatly appreciated.
>
> Thank you for your insights!
>
> Best regards,
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250829/de64f8b1/attachment.htm>
More information about the rb-general
mailing list