Le lundi 23 septembre 2019, 05:56:06 CEST Tomo Suzuki a écrit : > Sounds nice! don't hesitate to build for yourself, check that you get the same sha512 and report: this will help me either confirm "it works", or find little remaining issues.
> > > The precise result depends only on 2 key facts > > When I hear “reproducible builds”, I think of lock files that remember > library versions used. > Gradle’s approach: > https://docs.gradle.org/current/userguide/dependency_locking.html > > Does your approach use such file to record library versions? no, we don't need such a lock file since we don't use version ranges: the dependency resolution is already stable Here, "Reproducible builds are a set of software development practices that create an independently-verifiable path from source to binary code." see https://reproducible-builds.org/ For Java, one key non-reproducible aspect for example is the timestamp of zip entries in jar files. Regards, Hervé > > Regards, > Tomo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org