[jira] [Commented] (MARTIFACT-68) add a report on reproducibility of project's dependencies

[Herve Boutemy (Jira)]

    [ 
https://issues.apache.org/jira/browse/MARTIFACT-68?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17895912#comment-17895912
 ] 

Herve Boutemy commented on MARTIFACT-68:
----------------------------------------

see https://github.com/jvm-repo-rebuild/reproducible-central/issues/421 
implementation of 
https://github.com/jvm-repo-rebuild/reproducible-central/issues/20

such badge could be added to MPIR dependencies report, both on dependencies and 
on the currently built artifact

> add a report on reproducibility of project's dependencies
> ---------------------------------------------------------
>
>                 Key: MARTIFACT-68
>                 URL: https://issues.apache.org/jira/browse/MARTIFACT-68
>             Project: Maven Artifact Plugin
>          Issue Type: New Feature
>    Affects Versions: 3.5.1
>            Reporter: Herve Boutemy
>            Priority: Major
>
> until now, artifact:buildinfo and artifact:compare have focused on RB for the 
> build being done
> it permitted to create Reproducible Central where we rebuild projects 
> published to Maven Central when they have done some RB configuration, to 
> check that their RB config is complete enough: 
> https://github.com/jvm-repo-rebuild/reproducible-central/
> now that we have near 600 projects publishing to Maven Central, it start to 
> make sense to go to the next step: know for a project if it USES dependencies 
> that are reproducible
> => this requires 2 steps:
> 1. Reproducible Central needs to publish an index of artifacts with RB 
> results (even in a project that is not fully reproducible, some artifacts are 
> ok)
> 2. artifact plugin requires a new reporting goal that checks project 
> dependencies against this index and reports (using a reproducible dependency 
> from a reproducible release, reproducible dependency from a non-fully 
> reproducible release, non-reproducible release from a project that has some 
> reproducible releases, unknown status...)
> it's now time to not only focus on producing reproducible projects: this was 
> only the first step
> it's now time to start consuming reproducible dependencies
> when a project consumes a non-reproducible dependency, I hope it will help 
> its dependency maintainer improve their build to be reproducible



--
This message was sent by Atlassian Jira
(v8.20.10#820010)