> We have a compliance/audit requirement that we need to be able to exactly > reproduce builds. (Current requirement does not allow the build machine > access to our internal nexus repository.)
I have had to deal with this sort of requirement in the past in ISO, FDA and code repository context. In my opinion you need to be able to build "without anything else apart from the supplied codebase/artifacts". In the Maven world the best way to achieve this is to package up all the source code and your repository server setup (or at least the repository used by your build with all artifacts as well as Maven in the exact version you use. You will have to lock down all plugin and dependency versions and be sure to have them in the repo and then you will be able to do a complete offline build with the repo. If you dont do that you will have some major nightmares in terms of reproducibility of the build and the used artifacts. Do NOT follow down the path of "just" trying to check everything into svn. If you do that you properly you will end up with the repository server in svn. Might as well allow the repo server to be an artifact... --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@maven.apache.org For additional commands, e-mail: users-h...@maven.apache.org
