This plugin is a study, written as a Proof Of Concept of Reproducible Builds tooling to ease reproducing Maven builds that are expected to be reproducible: once feedback will be given on Maven developper mailing list, we'll see if this will be moved to a separate Maven plugin or if its unique goal will be merged to an existing plugin.
The purpose of this plugin is:
to generate a buildinfo file from a build recording fingerprints of output files, as specified in Reproducible Builds for the JVM that will eventually be deployed to remote repository
help rebuilders to check that they local build produces the same Reproducible Build output than the reference build published to a remote repository
To use this plugin, you'll need to build and install from source, or use SHAPSHOT from https://repository.apache.org/content/repositories/snapshots
mvn verify buildinfo:save
Configure the plugin with its save
goal in your pom.xml
If reference build is available in a remote repository with predefined id, like central
:
mvn verify buildinfo:save -Dreference.repo=central
If reference build is available in a remote repository without predefined id, use its url instead:
mvn verify buildinfo:save -Dreference.repo=https://repository.apache.org/content/groups/maven-staging-group/
org.apache.maven.plugins:maven-shade-plugin:3.2.2 mono-module, with source-release
org.apache;maven.doxia:doxia:1.9.1 multi-module, with source-release
info.guardianproject:jtorctl:0.4 mono-module with provided buildinfo
org.apache.sling:org.apache.sling.installer.core:3.10.2 OSGI, with source-release