Unpacking lockfiles in different package managers
Benoit Baudry
benoit.baudry at umontreal.ca
Fri Dec 5 21:11:14 UTC 2025
Thanks John!
And we're also working on a lockfile for
Maven https://github.com/chains-project/maven-lockfile
cheers,
Benoit
On 2025-12-05 11:45, John Neffenger wrote:
> AVIS: Courriel externe. Soyez vigilant.
>
>
> I did a quick check in your document about Maven, and it says:
>
> "Meanwhile, Maven, the other major package manager for Java does not
> have a lockfile at all. We recommend the Maven community to add this
> feature and learn from the best practices to design an informative and
> usable lockfile."
>
> There's a secret feature in Maven (secret in that it's *not* at all well
> known) that provides dependency and plugin verification. See my post
> last year for details:
>
> release of maven-lockfile
> https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
>
>
> If Lockfiles are, as the paper says, "used to reduce build times; to
> verify the integrity of resolved packages; and to support build
> reproducibility across environments and time," then this
> poorly-documented Maven feature should work as a built-in Lockfile.
>
> John
>
> On 12/5/25 5:17 AM, Benoit Baudry wrote:
>> Hi everyone,
>>
>> We've recently worked on unpacking the various strategies for generating
>> lockfiles in different package manager: "The Design Space of Lockfiles
>> Across Package Managers"
>> https://arxiv.org/pdf/2505.04834
>>
>> Shall this ring a bell don't hesitate to reach out
>>
>> cheers!
>>
>> Benoit, Yogya, Martin, Deepika
>>
>
More information about the rb-general
mailing list