Rebuilding artifacts from (Maven) Central Repository
an independently-verifiable path from source to binary code
As part of Reproducible Builds efforts for the JVM, this "Reproducible Central" project is an attempt at:
- writing
.buildspec
rebuild instructions for the artifacts available in the Central Repository, equivalent to the packaging instructions that are maintained by every Linux distribution (for example Debian's debian/rules or ArchLinux's PKGBUILD), whatever the build tool used (Central Repository is not used by Maven only) - show the level of reproducibility obtained using previous instructions: how many output files from the rebuild are strictly equal to reference in Central Repository, how many output files are not yet reproducible and should be improved before the next release?
What Can I Do?
Rebuild Yourself To Check Results
You can rebuild a project release by running:
./rebuild.sh content/<path/to/...>/<project>-<version>.buildspec
rebuild.sh
script will use the build specification file (= .buildspec
file) to choose a Docker image to rebuild the project and check output against Central Repository reference binaries.
Contribute A New `.buildspec`
If you know a project released to Central Repository that is expected to provide Reproducible Builds, please tell us by opening an issue with details.
You can also choose one from our list of projects waiting for a .buildspec
: follow our instructions to write a new .buildspec
) that you can contribute back with a PR.
Improve Reproducibility Score Of A Project Release
If a rebuild published here is not fully reproducible (it has some
You'll need to rebuild the release yourself (see previous instructions), then use diffoscope to easily explore precise difference between reference file from Central Repository and effective rebuild file, then debug up to the root cause of this unwanted difference:
- rebuilder bug: if the improvement has to happen at buildspec or rebuild script level, don't hesitate to open an issue or a PR here,
- upstream project reproducibility issue
๐ชฒ : please contact the upstream project and help them improve the reproducibility for their next release, creating an issue in their issue tracker and adding it to Reproducible Central buildspec asissue
parameter that will link to it with a๐ชฒ .
Add Reproducible Builds Badge to a Project With Reproducible Releases
If a project has listed here at least one release with proven reproducibility success, it can add a badge like pointing to its entries here:
[![Reproducible Builds](https://img.shields.io/badge/Reproducible_Builds-ok-success?labelColor=1e5b96)](https://github.com/jvm-repo-rebuild/reproducible-central#...groupId...:...artifactId...)
Notice the anchor in the link.
Rebuild Results
rebuilding 424 releases of 126 projects:
- 303 releases were found successfully fully reproducible (100% reproducible artifacts
โ๏ธ ), - 121 had issues (some unreproducible artifacts
โ ๏ธ ):
Understanding What Is Behind
see history