I was at the 5th Reproducible Builds Summit this past week, representing mostly Android topics. I attended the first two, so it was nice to see that there has been some real progress in the past few years of work. My main focus was working with an Apache/Maven developer on implementing the “buildinfo” spec for publishing reproducible Java JAR builds to Maven Central and other Maven repositories. Maven repositories are central to the whole Android and Java ecosystems as the primary means of getting libraries. We used the jtorctl library to prototype how this system will look when using the Maven, Gradle, and Bazel buildsystems.
Given the results of our brief work, we should have something working and deployed this year. And there is already a Maven plugin for publishing the “buildinfo” files. So it should be easy to start getting libraries to publish these to Maven Central and other Maven repositories. Then the Apache/Maven Developer plans to push Apache Software Foundation to require reproducible builds for all its official Java releases.
If you want to help with this effort, you can start publishing buildinfo files with your library, or try rebuilding libraries based on published buildinfo files to test whether there is enough information to reproduce the builds.
Which one is that? I know of Reproducible Build Maven Plugin – Introduction but that one doesn’t generate a buildinfo, and some searching only produced projects that record ‘build info’ but not really in the reproducible-builds sense.