I did a quick check in your document about Maven, and it says:
"Meanwhile, Maven, the other major package manager for Java does not
have a lockfile at all. We recommend the Maven community to add this
feature and learn from the best practices to design an informative and
usable lockfile."
There's a secret feature in Maven (secret in that it's *not* at all well
known) that provides dependency and plugin verification. See my post
last year for details:
release of maven-lockfile
https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html
If Lockfiles are, as the paper says, "used to reduce build times; to
verify the integrity of resolved packages; and to support build
reproducibility across environments and time," then this
poorly-documented Maven feature should work as a built-in Lockfile.
John
On 12/5/25 5:17 AM, Benoit Baudry wrote:
Hi everyone,
We've recently worked on unpacking the various strategies for generating
lockfiles in different package manager: "The Design Space of Lockfiles
Across Package Managers" https://arxiv.org/pdf/2505.04834
Shall this ring a bell don't hesitate to reach out
cheers!
Benoit, Yogya, Martin, Deepika
