On 2025/12/05 17:26:06 John Neffenger wrote: > Could we list the Maven Trusted Checksums feature [1] among the top > features, if not *the* top feature, of Maven 4? > > Such dependency verification is a critical requirement in a build tool > for those working to prevent supply chain attacks, but the feature is > completely unknown among that group. > > Just today, a paper [2] was posted to the Reproducible Builds mailing > list that states: > > "Meanwhile, Maven, the other major package manager for Java does not > have a lockfile at all. We recommend the Maven community to add this > feature and learn from the best practices to design an informative and > usable lockfile." > > The paper explains, "Lockfiles are used to reduce build times; to verify > the integrity of resolved packages; and to support build reproducibility > across environments and time." I think the Trusted Checksums feature > satisfies that definition. > > Other projects that seek to provide Maven Lockfiles [3] were also > unaware of the built-in support for dependency verification in Maven > version 3.9.2 back in September 2024. > > This major new feature has failed to be noticed. Can we increase its > visibility when Maven 4 is released? > > And perhaps we should call them Lockfiles. :-)
I gained some experience with uv and Cargo recently and need to tell you that we don't need a lock file (at all) because we don't have the same concept as others tools have. I will elaborate: * We don't encourage to use ranges or even open ranges like foo, foo>=1.5, etc. We always use fixed versions. Both LATEST and RELEASE are not recommended. * Every dependency is tied to a repo in a custom properties file written by Resolver. Maven won't download from another repo. * As you said, you can provide all checksums. You basically have all you need what Cargo.lock or uv.lock are doing. I personally even dislike uv's default index strategy compared to Maven or pip. Michael --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
