Unpacking lockfiles in different package managers
Tamás Cservenák
tamas at cservenak.net
Fri Dec 5 17:06:50 UTC 2025
Howdy,
Thanks for reminding me about this "demo". I updated it:
https://github.com/cstamas/tc-demo
Lockfiles reduce build time in case of npm, but not maven. In fact,
trusted checksums merely put you on the safe side, where you can use
ahead of build time provided checksums (from the same trusted source
as source files you compile) of all artifacts needed for build. And
those can be even strong (cryptographical) checksums, like in the
demo.
Thanks
T
On Fri, Dec 5, 2025 at 5:45 PM John Neffenger <john at status6.com> wrote:
>
> I did a quick check in your document about Maven, and it says:
>
> "Meanwhile, Maven, the other major package manager for Java does not
> have a lockfile at all. We recommend the Maven community to add this
> feature and learn from the best practices to design an informative and
> usable lockfile."
>
> There's a secret feature in Maven (secret in that it's *not* at all well
> known) that provides dependency and plugin verification. See my post
> last year for details:
>
> release of maven-lockfile
> https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
>
> If Lockfiles are, as the paper says, "used to reduce build times; to
> verify the integrity of resolved packages; and to support build
> reproducibility across environments and time," then this
> poorly-documented Maven feature should work as a built-in Lockfile.
>
> John
>
> On 12/5/25 5:17 AM, Benoit Baudry wrote:
> > Hi everyone,
> >
> > We've recently worked on unpacking the various strategies for generating
> > lockfiles in different package manager: "The Design Space of Lockfiles
> > Across Package Managers" https://arxiv.org/pdf/2505.04834
> >
> > Shall this ring a bell don't hesitate to reach out
> >
> > cheers!
> >
> > Benoit, Yogya, Martin, Deepika
> >
>
More information about the rb-general
mailing list