Request for stable, automated build process

Bobby Martin bobbymartin2 at
Mon May 5 06:09:35 CEST 2008

From: Ian Darwin <ian at>

> <SNIP>
> While I might not have worded it quite that way, I have considered writing
> a paper with the title "Maven Considered Harmful". But it would be too short
> to publish as a paper... The main problem is, as Hugo mentioned,
> dependencies can change without notice and break things on you.  You want
> repeatable builds? Write a build system that saves the complete name and MD5
> of every file, and checks every file that it downloads before using it,
> every time. The OpenBSD (Unix-like system) "ports" mechanism does this for
> all third-party software, and it therefore has repeatable builds. Maven does
> not.

Storing your MD5s will let you know *if* you are repeating a build.  It will
not (reasonably) let you repeat a build.

You need some way of identifying the file you want to build *to the revision
control system* (so you can download that version) if you want repeatable

That's why I've talked about dates for external build system, which someone
astutely pointed out could be an issue because of the many time zones
involved, and I believe they discussed some 'pin' notion in mtn.  I'm pretty
sure every RCS has some way of letting you get an identifier for the version
for each controlled file and retrieve that version later.

MD5s sound nice to verify, if you don't trust your revision control system
(or perhaps the admins ;-)


If it doesn't make you smile, you're doing something wrong.
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the community mailing list