[
https://issues.apache.org/jira/browse/MARTIFACT-68?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Herve Boutemy updated MARTIFACT-68:
-----------------------------------
Description:
until now, artifact:buildinfo and artifact:compare have focused on RB for the
build being done
it permitted to create Reproducible Central where we rebuild projects published
to Maven Central when they have done some RB configuration, to check that their
RB config is complete enough:
https://github.com/jvm-repo-rebuild/reproducible-central/
now that we have near 600 projects publishing to Maven Central, it start to
make sense to go to the next step: know for a project if it USES dependencies
that are reproducible
=> this requires 2 steps:
1. Reproducible Central needs to publish an index of artifacts with RB results
(even in a project that is not fully reproducible, some artifacts are ok)
2. artifact plugin requires a new reporting goal that checks project
dependencies against this index and reports (using a reproducible dependency
from a reproducible release, reproducible dependency from a non-fully
reproducible release, non-reproducible release from a project that has some
reproducible releases, unknown status...)
it's now time to not only focus on producing reproducible projects: this was
only the first step
it's now time to start consuming reproducible dependencies
when a project consumes a non-reproducible dependency, I hope it will help its
dependency maintainer improve their build to be reproducible
was:
until now, artifact:buildinfo and artifact:compare have focused on RB for the
build being done
it permitted to create Reproducible Central where we rebuild projects published
to Maven Central when they have done some RB configuration, to check that their
RB config is complete enough:
https://github.com/jvm-repo-rebuild/reproducible-central/
now that we have near 600 projects publishing to Maven Central, it start to
make sense to go to the next step: know for a project if it USES dependencies
that are reproducible
=> this requires 2 steps:
1. Reproducible Central needs to publish an index of artifacts with RB results
(even in a project that is not fully reproducible, some artifacts are ok)
2. artifact plugin requires a new reporting goal that checks project
dependencies against this index and reports (using a reproducible dependency
from a reproducible release, reproducible dependency from a non-fully
reproducible release, non-reproducible release from a project that has some
reproducible releases, ...)
it's now time to not only focus on producing reproducible projects: this was
only the first step
it's now time to start consuming reproducible dependencies
when a project consumes a non-reproducible dependency, I hope it will help its
dependency maintainer improve their build to be reproducible
> add a report on reproducibility of project's dependency
> -------------------------------------------------------
>
> Key: MARTIFACT-68
> URL: https://issues.apache.org/jira/browse/MARTIFACT-68
> Project: Maven Artifact Plugin
> Issue Type: New Feature
> Affects Versions: 3.5.1
> Reporter: Herve Boutemy
> Priority: Major
>
> until now, artifact:buildinfo and artifact:compare have focused on RB for the
> build being done
> it permitted to create Reproducible Central where we rebuild projects
> published to Maven Central when they have done some RB configuration, to
> check that their RB config is complete enough:
> https://github.com/jvm-repo-rebuild/reproducible-central/
> now that we have near 600 projects publishing to Maven Central, it start to
> make sense to go to the next step: know for a project if it USES dependencies
> that are reproducible
> => this requires 2 steps:
> 1. Reproducible Central needs to publish an index of artifacts with RB
> results (even in a project that is not fully reproducible, some artifacts are
> ok)
> 2. artifact plugin requires a new reporting goal that checks project
> dependencies against this index and reports (using a reproducible dependency
> from a reproducible release, reproducible dependency from a non-fully
> reproducible release, non-reproducible release from a project that has some
> reproducible releases, unknown status...)
> it's now time to not only focus on producing reproducible projects: this was
> only the first step
> it's now time to start consuming reproducible dependencies
> when a project consumes a non-reproducible dependency, I hope it will help
> its dependency maintainer improve their build to be reproducible
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
