On 19/11/2020 09:51, Tamás Cservenák wrote: > Without starting any flame wars, am really curious: why are you > repackaging Maven? > > I'd understand for OS/distro native packages, but > why do you rebuild JVM bytecode as well? > > Again, am not to start any flame war, am just curious!
Short answer: why not? This is an Open Source project, not an Open Binary project. Anyone should be able to rebuild the code, and in an ideal world where every project is reproducible, get byte identical binaries. Long answer: Debian, Fedora, and I assume Guix are "closed" ecosystems where you can rebuild every component from sources without needing tools or libraries outside of the distribution. If you were alone on a desert island with just a laptop, the sources and no internet connection, you would be able to rebuild any part of the distribution from scratch. This really goes to the roots of the open source philosophy, open source projects are meant to be built from sources, and if it's not possible then there is a problem somewhere. Assuming every project becomes reproducible at some point (see https://reproducible-builds.org for why it matters) the question of knowing who produced the binaries become irrelevant, because everyone get the exact same binaries. > 3) What are you really building? As in video, it is said > several times that you "mutilate" some package to build > it, then use it to "bootstrap" some other package, and finally > you rebuild the target package. Given in the process there > was once a "mutilated" tool, how are you certain, that output > of the build is correct (I have no doubts about > reproducibility)? How do you prove that output is what > it is thought/assumed to be? In Debian the Maven package we rebuild from sources is itself used to build all the other Maven based projects packaged in Debian (that's over 600 projects currently), so regressions are caught pretty quickly (it's rare but it happens sometimes when the binary compatibility is broken in a core library like maven-shared-utils). > 3) (Joker) What is the overall CO2 footprint of distros like > these? I believe you did not use Apple M1 for this work... :) Probably a tiny fraction of what bitcoin mining, Travis CI and Youtube/Netflix 4K videos generate ;) Emmanuel Bourg --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
