Le lundi 23 septembre 2019, 05:56:06 CEST Tomo Suzuki a écrit :
> Sounds nice!
don't hesitate to build for yourself, check that you get the same sha512 and 
report: this will help me either confirm "it works", or find little remaining 
issues.

> 
> > The precise result depends only on 2 key facts
> 
> When I hear “reproducible builds”, I think of  lock files that remember
> library versions used.
> Gradle’s approach:
> https://docs.gradle.org/current/userguide/dependency_locking.html
> 
> Does your approach use such file to record library versions?
no, we don't need such a lock file since we don't use version ranges: the 
dependency resolution is already stable

Here, "Reproducible builds are a set of software development practices that 
create an independently-verifiable path from source to binary code."
see https://reproducible-builds.org/

For Java, one key non-reproducible aspect for example is the timestamp of zip 
entries in jar files.

Regards,

Hervé 

> 
> Regards,
> Tomo





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org
For additional commands, e-mail: dev-h...@maven.apache.org

Reply via email to