On Thu, Mar 28, 2024, at 16:41, Railean, Alexander via rb-general wrote: > I am trying to understand how someone can independently verify the > reproducibility of Java projects on Maven Central. Having explored the > repositories on Maven Central, I could not find examples where the > “buildinfo” file was present. Publishing a buildinfo to Maven Central is indeed relatively uncommon. > The archives of this mailing list pointed out examples such as > https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo, > and yet my understanding is that this is not enough [but why?], hence > reproducible-central was created to address some sort of gap. > > So far, my mental model is that: > • By including buildinfo in the artifacts on Maven Central, library authors > empower users to check for themselves if the build is reproducible or not. > • Reproducible-central takes it a step further and attempts to do a build > and then gives you a “yes/no” result. > > Thus, the former makes the problem solvable in principle, whereas the latter > actually solves it. Is my understanding is correct?
Mostly: publishing the buildinfo is optional, it is possible to have a reproducible build without publishing the buildinfo metadata (but you might need some other way to convey the requirements for your build environment). Indeed, reproducible-central has successfully rebuilt many artifacts that haven't published a buildinfo. > Besides that, I have some additional questions: > 1. Can you provide references to documentation that explains how to make sure > buildinfo ends up on Maven Central? In the case of Akka, they/we use the https://github.com/raboof/sbt-reproducible-builds/ plugin for the sbt build tool that is used to build Akka. > 2. Is there a tutorial that describes how to get featured on Reproducible > Central? > > > I had a look at > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md, > and my understanding is that this is not working for projects built on > Windows, because it relies on rebuild.sh, which implies one has bash. The > library I publish on Maven Central is built on a Windows computer – does this > mean that I won’t be able to list it in reproducible-builds? Hmm, that sounds tricky. However, my experience with Java/Maven is that it is often possible to achieve reproducibility across operating systems: artifacts built on MacOS can often be rebuilt on Linux and vice-versa, so perhaps the same is also true for Windows? Kind regards, -- Arnout Engelen Engelen Open Source https://engelen.eu
