Hi, Yesterday, I made a key step forward for Reproducible Builds with Maven: I wrote code to easily check that your local build produces the same binaries as the reference binaries published either to staging or to Central repository.
For a live example, see the last paragraph of Maven Site Plugin vote that just started [1]. Process to check build output is based on a single plugin goal, currently named buildinfo:save [2]: 1. it creates a buildinfo file during build recording output fingerprints, that will eventually in the future be published to Central repository 2. it downloads reference artifacts and/or reference buildinfo and checks that the output of the local build is the same as the reference. Now I want to discuss: is it clear? can you test and report, please? If the feedback is positive, the next question will be: in which plugin should we put this goal to make a release and add it to our parent pom during release, so we publish reference buildinfo along our reference binaries to Central repository. Thanks for your feedback Regards, Hervé [1] https://lists.apache.org/thread.html/rd3af15d383ddceeb950cd90569e3dcdd6e5a0f5d3cd653ec534b0609%40%3Cdev.maven.apache.org%3E [2] https://github.com/apache/maven-studies/tree/maven-buildinfo-plugin --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
