hboutemy commented on PR #206: URL: https://github.com/apache/maven-artifact-plugin/pull/206#issuecomment-4124369111
I'm thinking at this very concrete example: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/io/cucumber/gherkin/README.md Where they use ranges, and: - sometimes I was lucky to rebuild early enough to get the same resolved version, like 39.0.0 - sometimes I rebuilt too late, and I can't force Maven resolution to NOT use newer versions, like 37.0.1 and 38.0.0 (I added a manual comment in diffoscope output) in this case, when another version is resolved that the initial build, it has an impact on `.class` content But often it does not impact `.class` the more I write, the more I think we're not describing the same "Reproducible Builds" semantics It could sometimes impact CycloneDX files, because they list dependencies. Or it will impact `.war` or `shade` output or anything that really copies the dependencies. But in general, version ranges that give "un-stable over time" resolution is not impacting "Reproducible Builds" in terms of getting the same output And even if it impacts output, I'm sure that by configuring an extension that locks a little bit resolution, we could force the build to get the same output = what Reproducible Builds is about = checking that nothing has been cheated in the output that being said, what to put in `.buildcompare`, I confess I don't know: in fact, I don't know how to describe the issue in plain text even in this PR what would describe the gherkin case? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
