maven-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Hervé BOUTEMY <>
Subject [DISCUSS] checking reproducible builds
Date Sat, 07 Mar 2020 10:36:58 GMT

Yesterday, I made a key step forward for Reproducible Builds with Maven: I wrote code to easily
check that your local build produces the same binaries as the reference binaries published
either to staging or to Central repository.

For a live example, see the last paragraph of Maven Site Plugin vote that just started [1].

Process to check build output is based on a single plugin goal, currently named buildinfo:save
1. it creates a buildinfo file during build recording output fingerprints, that will eventually
in the future be published to Central repository
2. it downloads reference artifacts and/or reference buildinfo and checks that the output
of the local build is the same as the reference.

Now I want to discuss: is it clear? can you test and report, please?

If the feedback is positive, the next question will be: in which plugin should we put this
goal to make a release and add it to our parent pom during release, so we publish reference
buildinfo along our reference binaries to Central repository.

Thanks for your feedback





To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message