As part of Reproducible Builds efforts for the JVM, this "Reproducible Central" project is an attempt at:
- writing rebuild instructions for the artifacts available in the Central Repository, equivalent to the packaging instructions that are maintained by every Linux distribution (for example Debian's debian/rules or ArchLinux's PKGBUILD), whatever the build tool used (Central Repository is not used by Maven only)
- show the level of reproducibility obtained using previous instructions: how many output files from the rebuild are strictly equal to reference in Central Repository, how many output files are not yet reproducible and should be improved before the next release?
Rebuild Yourself To Check Results
You can rebuild a project release by running:
./rebuild.sh content/<path/to/...>/<project>-<version>.buildspec
rebuild.sh script will use the build specification file (= .buildspec file) to choose a Docker container to rebuild the project and check output against Central Repository reference binaries.
To rebuild every project with build instructions available in this Git repository, just run (and wait for hours...):
find content -name *.buildspec -exec ./rebuild.sh {} \;
Contribute A New Build Spec
If you know a project released to Central Repository that is expected to provide Reproducible Builds, please tell us by opening an issue with details. Please check that it is not already in our list of projects waiting for a buildspec.
Even better, you can provide a PR containing a .buildspec build specification file (and instructions to write a new one).
Improve Reproducibility Score Of A Project Release
If a rebuild published here is not fully reproducible (it has some
You'll need to rebuild the release yourself (see previous instructions), then use diffoscope to easily explore precise difference between reference file from Central Repository and effective rebuild file, then debug up to the root cause of this unwanted difference:
- rebuilder bug: if the improvement has to happen at buildspec or rebuild script level, don't hesitate to open an issue or a PR here,
- upstream project reproducibility issue πͺ²: please contact the upstream project and help them improve the reproducibility for their next release, creating an issue in their issue tracker and adding it to Reproducible Central buildspec as
issueparameter that will link to it with a πͺ².
Add Reproducible Builds Badge to a Project With Reproducible Releases
If a project has listed here at least one release with proven reproducibility success, it can add a badge like 
[](https://github.com/jvm-repo-rebuild/reproducible-central#...groupId...:...artifactId...)
Notice the anchor in the link.
Check That My Project Uses Reproducible Dependencies
This is a future objective. But for now, given the very few projects that produce reproducible artifacts, it's a little bit early to try to automate checks of your dependencies: there is a good chance that your dependencies are not reproducible. You should help by reporting to the project owners, and help them make their build reproducible for future releases.rebuilding 325 releases of 108 projects:
- 230 releases were found successfully fully reproducible (100% reproducible artifacts βοΈ),
- 95 had issues (some unreproducible artifacts
β οΈ ):
see history