Unpacking lockfiles in different package managers
Aman Sharma
amansha at kth.se
Mon Dec 8 08:17:52 UTC 2025
Hi all,
> And we're also working on a lockfile for
Maven https://github.com/chains-project/maven-lockfile
Just to add to what Benoit said, Trusted checksums and maven-lockfile<https://github.com/chains-project/maven-lockfile/> have been compared before<https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003589.html> in the same thread "release of maven-lockfile" .
Common feature: both record a list of checksums and fail the build if any dependency's checksum cannot be found in either the .sha512 (trusted checksum) or lockfile.json (maven-lockfile).
One main feature of lockfile is that it helps resolve exact dependencies if the dependencies pom.xml (even transitive) declare version ranges. Other features are listed here<https://github.com/chains-project/maven-lockfile/issues/954#issue-2623808219>:
* Can recreate pom file from lockfile
* Stores lockfile in each submodule individually
* Backwards compatible with older maven versions
Regards,
Aman Sharma
PhD Student
KTH Royal Institute of Technology
School of Electrical Engineering and Computer Science (EECS)
Department of Theoretical Computer Science (TCS)
<http://www.kth.se><https://www.kth.se/profile/amansha><https://www.kth.se/profile/amansha>
<https://www.kth.se/profile/amansha>https://algomaster99.github.io/
________________________________
From: rb-general <rb-general-bounces at lists.reproducible-builds.org> on behalf of Benoit Baudry <benoit.baudry at umontreal.ca>
Sent: Friday, December 5, 2025 10:11:14 PM
To: John Neffenger; General discussions about reproducible builds
Cc: Deepika Tiwari; Martin Monperrus; Yogya Gamage
Subject: Re: Unpacking lockfiles in different package managers
Thanks John!
And we're also working on a lockfile for
Maven https://github.com/chains-project/maven-lockfile
cheers,
Benoit
On 2025-12-05 11:45, John Neffenger wrote:
> AVIS: Courriel externe. Soyez vigilant.
>
>
> I did a quick check in your document about Maven, and it says:
>
> "Meanwhile, Maven, the other major package manager for Java does not
> have a lockfile at all. We recommend the Maven community to add this
> feature and learn from the best practices to design an informative and
> usable lockfile."
>
> There's a secret feature in Maven (secret in that it's *not* at all well
> known) that provides dependency and plugin verification. See my post
> last year for details:
>
> release of maven-lockfile
> https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
>
>
> If Lockfiles are, as the paper says, "used to reduce build times; to
> verify the integrity of resolved packages; and to support build
> reproducibility across environments and time," then this
> poorly-documented Maven feature should work as a built-in Lockfile.
>
> John
>
> On 12/5/25 5:17 AM, Benoit Baudry wrote:
>> Hi everyone,
>>
>> We've recently worked on unpacking the various strategies for generating
>> lockfiles in different package manager: "The Design Space of Lockfiles
>> Across Package Managers"
>> https://arxiv.org/pdf/2505.04834
>>
>> Shall this ring a bell don't hesitate to reach out
>>
>> cheers!
>>
>> Benoit, Yogya, Martin, Deepika
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-general/attachments/20251208/94a6192a/attachment.htm>
More information about the rb-general
mailing list