Hello all
Le 08/12/2025 à 00:37, Manfred Moser a écrit :
Thanks so much Tamas. Also Elliotte.. I agree that the checksums
should change .. but it should be possible to lock to specific
artifacts with a checksum or some other value more closely under
control than the GAV coordinates .. since they can be pointing to
different artifacts.
Just as a personal opinion, I think that requirements for reproducible
builds are too strong as they force the sacrifice of metadata such as
build date. I would prefer semantic equivalency. For example, instead of
requiring that two JAR files are bit-to-bit identical, we could open
them as ZIP files and compare their entries. When comparing
META-INF/MANIFEST.MF, we could ignore a few attributes such as who built
the JAR. Those verification could be done automatically by a Maven
plugin. When a project is making a vote for a release, that Maven plugin
could compare automatically was has been built locally with what is in
the staging repository.
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
