Unpacking lockfiles in different package managers
John Neffenger
john at status6.com
Fri Dec 5 16:45:17 UTC 2025
I did a quick check in your document about Maven, and it says:
"Meanwhile, Maven, the other major package manager for Java does not
have a lockfile at all. We recommend the Maven community to add this
feature and learn from the best practices to design an informative and
usable lockfile."
There's a secret feature in Maven (secret in that it's *not* at all well
known) that provides dependency and plugin verification. See my post
last year for details:
release of maven-lockfile
https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
If Lockfiles are, as the paper says, "used to reduce build times; to
verify the integrity of resolved packages; and to support build
reproducibility across environments and time," then this
poorly-documented Maven feature should work as a built-in Lockfile.
John
On 12/5/25 5:17 AM, Benoit Baudry wrote:
> Hi everyone,
>
> We've recently worked on unpacking the various strategies for generating
> lockfiles in different package manager: "The Design Space of Lockfiles
> Across Package Managers" https://arxiv.org/pdf/2505.04834
>
> Shall this ring a bell don't hesitate to reach out
>
> cheers!
>
> Benoit, Yogya, Martin, Deepika
>
More information about the rb-general
mailing list