Reproducing a Maven Central Release from a single GAV coordinate

Fri Aug 29 18:05:30 UTC 2025

Hi Yasser,

> Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were included in the upstream release of that single GAV?

This sounds to me that you are interested about getting all the dependencies of that single GAV in order to build an identical jar. But to reproduce the jar, you don't need to explicitly gather all the list of dependencies. You identify the source code of the project and build it using a Java build tool. The build tool gathers the dependencies for you.

Infrastructure like https://github.com/jvm-repo-rebuild/reproducible-central does the same thing. Refer to one of the buildspec<https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/trino/trino-446.buildspec> files that it has. It is basically a build recipe for reproducing the build.

Regards,
Aman Sharma

PhD Student
KTH Royal Institute of Technology
School of Electrical Engineering and Computer Science (EECS)
Department of Theoretical Computer Science (TCS)
<http://www.kth.se><https://www.kth.se/profile/amansha><https://www.kth.se/profile/amansha>
<https://www.kth.se/profile/amansha>https://algomaster99.github.io/
________________________________
From: rb-general <rb-general-bounces at lists.reproducible-builds.org> on behalf of William Burton via rb-general <rb-general at lists.reproducible-builds.org>
Sent: Friday, August 29, 2025 12:45:39 PM
To: General discussions about reproducible builds
Cc: William Burton
Subject: Re: Reproducing a Maven Central Release from a single GAV coordinate

Hi Yasser,

This is the focused goal of https://github.com/jvm-repo-rebuild/reproducible-central so that's definitely a good place to start!

Additionally, our project (website: https://oss-rebuild.dev/ source: https://github.com/google/oss-rebuild) is in the process of adding Maven support which will probably leverage reproducible-central in some ways. That's in addition to our other supported ecosystems like npm, crates, and pypi.

Comparing the two, I'd say reproducible-central is a good place to dig in on technical details about how/why certain GAVs are reproducible or not, while OSS Rebuild is a little more "batteries included" by producing signed attestations and ecosystem-agnostic support tooling. There's collaboration across the two projects so I don't think you can go wrong either way :)

On Fri, Aug 29, 2025 at 11:50 AM yasser lazrek <lazrekyasser1998 at gmail.com<mailto:lazrekyasser1998 at gmail.com>> wrote:

Hello,

As part of a build-from-source initiative, I am working on a top-down strategy to build project dependencies from source. Often, when trying to build a particular dependency, the only information available is its Maven GAV (Group ID, Artifact ID, and Version) coordinate.

My question is: Given just a GAV coordinate, how can I reliably identify the full list of related GAVs that were included in the upstream release of that single GAV? The goal is to reproduce the released binary artifact by building from the upstream source (using its repository URL and a specific commit hash or release tag), and to ensure that the output matches exactly what was published on Maven Central.

Are there recommended tools or best practices to trace the complete set of artifacts and metadata associated with an original Maven Central release that can cover the majority of artifacts(GAVs) on Maven Central, solely from its GAV? Any advice or pointers would be greatly appreciated.

Thank you for your insights!

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20250829/755b091a/attachment.htm>