Hi Brian It just seems like the rev ID is really useful here for identifying > reproducible builds without creating releases every time, does it fit with > your ideas? If so, a hypothetical repository manager plugin could be > maintaining information about snapshot dependencies based on SCM rev ID, > thus allowing for reproducibility without modifying Maven or existing > snapshot mechanics. Such a plugin might be able to generate a POM that has > the extra rev ID metadata that the repo manager would recognize, allowing > for existing SNAPSHOT-style identifiers to keep working for developer > desktops (avoiding SCM thrash), but also providing reproducibility through > synthetic POMs.
I think this is a great idea. If the pom for each snapshot contains enough metadata about each of its upstream snapshots to be able to reproduce an identical binary, we're good. Since I believe Maven already stores the md5 for each snapshot, this is verifiable. Perhaps including in the POM for a snapshot the SCM URIs that were used to create it and the version id (for SCMs that support atomic commits - I can't see a happy way to do this for CVS, for example, without using tags) and the same information nested for any of their upstream snapshots? And then for extra points a command that could look at this pom, regenerate the whole thing from scratch, and verify it against the md5 for the original binary. Jez. -- Jez Humble Co-author, *Continuous Delivery <http://continuousdelivery.com/>* http://continuousdelivery.com/ http://jezhumble.net/ -- View this message in context: http://maven.40175.n5.nabble.com/Continuous-Delivery-and-Maven-tp3245370p3254548.html Sent from the Maven - Users mailing list archive at Nabble.com.
