On Thu, Mar 28, 2024, at 16:41, Railean, Alexander via rb-general wrote:
> I am trying to understand how someone can independently verify the
> reproducibility of Java projects on Maven Central. Having explored the
> repositories on Maven Central, I could not find examples where the
> “buildinfo” file was present.
Publishing a buildinfo to Maven Central is indeed relatively uncommon.
> The archives of this mailing list pointed out examples such as
> https://repo1.maven.org/maven2/com/typesafe/akka/akka-actor_2.13/2.6.4/akka-actor_2.13-2.6.4.buildinfo,
> and yet my understanding is that this is not enough [but why?], hence
> reproducible-central was created to address some sort of gap.
>
> So far, my mental model is that:
> • By including buildinfo in the artifacts on Maven Central, library authors
> empower users to check for themselves if the build is reproducible or not.
> • Reproducible-central takes it a step further and attempts to do a build
> and then gives you a “yes/no” result.
>
> Thus, the former makes the problem solvable in principle, whereas the latter
> actually solves it. Is my understanding is correct?
Mostly: publishing the buildinfo is optional, it is possible to have a
reproducible build without publishing the buildinfo metadata (but you might
need some other way to convey the requirements for your build environment).
Indeed, reproducible-central has successfully rebuilt many artifacts that
haven't published a buildinfo.
> Besides that, I have some additional questions:
> 1. Can you provide references to documentation that explains how to make sure
> buildinfo ends up on Maven Central?
In the case of Akka, they/we use the
https://github.com/raboof/sbt-reproducible-builds/ plugin for the sbt build
tool that is used to build Akka.
> 2. Is there a tutorial that describes how to get featured on Reproducible
> Central?
>
>
> I had a look at
> https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/doc/BUILDSPEC.md,
> and my understanding is that this is not working for projects built on
> Windows, because it relies on rebuild.sh, which implies one has bash. The
> library I publish on Maven Central is built on a Windows computer – does this
> mean that I won’t be able to list it in reproducible-builds?
Hmm, that sounds tricky. However, my experience with Java/Maven is that it is
often possible to achieve reproducibility across operating systems: artifacts
built on MacOS can often be rebuilt on Linux and vice-versa, so perhaps the
same is also true for Windows?
Kind regards,
--
Arnout Engelen
Engelen Open Source
https://engelen.eu