Le 14/01/2015 02:41, Paul Wise a écrit : >> Yes, this is true especially in the Maven world since it guarantees >> build reproducibility. > > We plan to solve that in Debian by recording versions of > build-dependencies at build time and reproducing the build environment > when doing build reproducibility testing: > > https://wiki.debian.org/ReproducibleBuilds/BuildinfoSpecification > https://wiki.debian.org/ReproducibleBuilds/About#Reproduce_the_build_environment
I'd like to highlight that the philosophy of build reproducibility is different in the Maven and in the Debian context. Debian focuses on producing the same binaries at the byte level for a given set of versionned build dependencies, whereas Maven guarantees that the exact versions of the build dependencies will always be available in the Maven Central repository to rebuild artifacts with the same behavior (but the artifacts produced will be different due to things like timestamps in the manifests). In Debian we usually keep only one version of each library (with some notable exceptions like junit, asm or icu) and the behavior may change every time a build dependency is updated. So in the Debian context, we are almost never reproducing the same build that was executed upstream because the dependencies are different. This works well most of the time, but sometimes it goes horribly wrong (like the Maven 3.1 upgrade...) Emmanuel Bourg -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/54b627bb.4040...@apache.org
