Hi everyone,
I followed the instructions in guides/mini/guide-reproducible-builds.html and was able to produce a reproducible build, which I can later verify on my own system. My intention is to publish this on Maven Central and provide enough information for anyone else to be able to confirm that the binaries came from the given sources. [1] How would others verify reproducibility? They need the details of my environment (e.g., OS, version of Java), but this information is not among the artifacts published on Maven Central. I was expecting the "buildinfo" file to be distributed too, but it is not the case. I did not find it in the repositories of various libraries which claim to offer reproducible builds. Does this mean that the build details are somehow embedded in the JAR itself? Or am I missing something? [2] What is the recommended practice regarding outputTimestamp? The tutorial sets a fixed timestamp, while an email thread on the reproducible-builds mailing list suggests setting it to 1, like so: <project.build.outputTimestamp>1</project.build.outputTimestamp> I find this convenient since I don't have to set the timestamp dynamically. Moreover, if I run a search on Github with this query `path:pom.xml <project.build.outputTimestamp>1</project.build.outputTimestamp>` - I see hundreds of projects doing it. However, considering that this is not covered in the tutorial, I am wondering whether this is a best practice, or merely a hack that is good enough for practical purposes. Looking forward to your feedback, Alex
