Hi everybody,
I am trying to understand how someone can independently verify the reproducibility of Java projects on Maven Central. Having explored the repositories on Maven Central, I could not find examples where the "buildinfo" file was present. The archives of this mailing list pointed out examples such as https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo, and yet my understanding is that this is not enough [but why?], hence reproducible-central was created to address some sort of gap. So far, my mental model is that: * By including buildinfo in the artifacts on Maven Central, library authors empower users to check for themselves if the build is reproducible or not. * Reproducible-central takes it a step further and attempts to do a build and then gives you a "yes/no" result. Thus, the former makes the problem solvable in principle, whereas the latter actually solves it. Is my understanding is correct? Besides that, I have some additional questions: 1. Can you provide references to documentation that explains how to make sure buildinfo ends up on Maven Central? 2. Is there a tutorial that describes how to get featured on Reproducible Central? I had a look at https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md, and my understanding is that this is not working for projects built on Windows, because it relies on rebuild.sh, which implies one has bash. The library I publish on Maven Central is built on a Windows computer - does this mean that I won't be able to list it in reproducible-builds? Looking forward to your feedback, Alex
