Hi all,
> And we're also working on a lockfile for Maven https://github.com/chains-project/maven-lockfile Just to add to what Benoit said, Trusted checksums and maven-lockfile<https://github.com/chains-project/maven-lockfile/> have been compared before<https://lists.reproducible-builds.org/pipermail/rb-general/2024-November/003589.html> in the same thread "release of maven-lockfile" . Common feature: both record a list of checksums and fail the build if any dependency's checksum cannot be found in either the .sha512 (trusted checksum) or lockfile.json (maven-lockfile). One main feature of lockfile is that it helps resolve exact dependencies if the dependencies pom.xml (even transitive) declare version ranges. Other features are listed here<https://github.com/chains-project/maven-lockfile/issues/954#issue-2623808219>: * Can recreate pom file from lockfile * Stores lockfile in each submodule individually * Backwards compatible with older maven versions Regards, Aman Sharma PhD Student KTH Royal Institute of Technology School of Electrical Engineering and Computer Science (EECS) Department of Theoretical Computer Science (TCS) <http://www.kth.se><https://www.kth.se/profile/amansha><https://www.kth.se/profile/amansha> <https://www.kth.se/profile/amansha>https://algomaster99.github.io/ ________________________________ From: rb-general <[email protected]> on behalf of Benoit Baudry <[email protected]> Sent: Friday, December 5, 2025 10:11:14 PM To: John Neffenger; General discussions about reproducible builds Cc: Deepika Tiwari; Martin Monperrus; Yogya Gamage Subject: Re: Unpacking lockfiles in different package managers Thanks John! And we're also working on a lockfile for Maven https://github.com/chains-project/maven-lockfile cheers, Benoit On 2025-12-05 11:45, John Neffenger wrote: > AVIS: Courriel externe. Soyez vigilant. > > > I did a quick check in your document about Maven, and it says: > > "Meanwhile, Maven, the other major package manager for Java does not > have a lockfile at all. We recommend the Maven community to add this > feature and learn from the best practices to design an informative and > usable lockfile." > > There's a secret feature in Maven (secret in that it's *not* at all well > known) that provides dependency and plugin verification. See my post > last year for details: > > release of maven-lockfile > https://lists.reproducible-builds.org/pipermail/rb-general/2024-September/003545.html > > > If Lockfiles are, as the paper says, "used to reduce build times; to > verify the integrity of resolved packages; and to support build > reproducibility across environments and time," then this > poorly-documented Maven feature should work as a built-in Lockfile. > > John > > On 12/5/25 5:17 AM, Benoit Baudry wrote: >> Hi everyone, >> >> We've recently worked on unpacking the various strategies for generating >> lockfiles in different package manager: "The Design Space of Lockfiles >> Across Package Managers" >> https://arxiv.org/pdf/2505.04834 >> >> Shall this ring a bell don't hesitate to reach out >> >> cheers! >> >> Benoit, Yogya, Martin, Deepika >> >
