[ https://issues.apache.org/jira/browse/MARTIFACT-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895912#comment-17895912 ]
Herve Boutemy commented on MARTIFACT-68: ---------------------------------------- see https://github.com/jvm-repo-rebuild/reproducible-central/issues/421 implementation of https://github.com/jvm-repo-rebuild/reproducible-central/issues/20 such badge could be added to MPIR dependencies report, both on dependencies and on the currently built artifact > add a report on reproducibility of project's dependencies > --------------------------------------------------------- > > Key: MARTIFACT-68 > URL: https://issues.apache.org/jira/browse/MARTIFACT-68 > Project: Maven Artifact Plugin > Issue Type: New Feature > Affects Versions: 3.5.1 > Reporter: Herve Boutemy > Priority: Major > > until now, artifact:buildinfo and artifact:compare have focused on RB for the > build being done > it permitted to create Reproducible Central where we rebuild projects > published to Maven Central when they have done some RB configuration, to > check that their RB config is complete enough: > https://github.com/jvm-repo-rebuild/reproducible-central/ > now that we have near 600 projects publishing to Maven Central, it start to > make sense to go to the next step: know for a project if it USES dependencies > that are reproducible > => this requires 2 steps: > 1. Reproducible Central needs to publish an index of artifacts with RB > results (even in a project that is not fully reproducible, some artifacts are > ok) > 2. artifact plugin requires a new reporting goal that checks project > dependencies against this index and reports (using a reproducible dependency > from a reproducible release, reproducible dependency from a non-fully > reproducible release, non-reproducible release from a project that has some > reproducible releases, unknown status...) > it's now time to not only focus on producing reproducible projects: this was > only the first step > it's now time to start consuming reproducible dependencies > when a project consumes a non-reproducible dependency, I hope it will help > its dependency maintainer improve their build to be reproducible -- This message was sent by Atlassian Jira (v8.20.10#820010)