Could we list the Maven Trusted Checksums feature [1] among the top
features, if not *the* top feature, of Maven 4?
Such dependency verification is a critical requirement in a build tool
for those working to prevent supply chain attacks, but the feature is
completely unknown among that group.
Just today, a paper [2] was posted to the Reproducible Builds mailing
list that states:
"Meanwhile, Maven, the other major package manager for Java does not
have a lockfile at all. We recommend the Maven community to add this
feature and learn from the best practices to design an informative and
usable lockfile."
The paper explains, "Lockfiles are used to reduce build times; to verify
the integrity of resolved packages; and to support build reproducibility
across environments and time." I think the Trusted Checksums feature
satisfies that definition.
Other projects that seek to provide Maven Lockfiles [3] were also
unaware of the built-in support for dependency verification in Maven
version 3.9.2 back in September 2024.
This major new feature has failed to be noticed. Can we increase its
visibility when Maven 4 is released?
And perhaps we should call them Lockfiles. :-)
Thanks,
John
[1]:
https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
[2]: https://arxiv.org/pdf/2505.04834
[3]: https://github.com/chains-project/maven-lockfile
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
