[ReproducibleCentral] add Reproducible Central in Dependencies

[hboutemy]

add new service for Reproducible Central: https://github.com/jvm-repo-rebuild/reproducible-central/tree/master

it will replace current endpoint badges used with a better approach: see example on https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/maven/maven/README.md

[github-actions]

	Messages
📖	✨ Thanks for your contribution to Shields, @hboutemy!

Generated by 🚫 dangerJS against fc3b9b1

[chris48s]

Before we attempt to get into "is this good code?" can you give me a quick overview of:

• What does this service do?
• What information is this badge communicating to users?
• etc

just so I have some context on what you are trying to achieve to review this.

[hboutemy]

very reasonable approach, given the diversity of requests you get :)
(and I'm definitively not a JavaScript expert, help welcome on code...)

I'll try to be progressive, even if it means the answer will be long: sorry, I don't see how to introduce this shorter

What does this service do?

This service is about:

1. Reproducible Builds https://reproducible-builds.org/
2. applied to the most popular Java repository = the content of Maven Central.

I'm working in this project for a good number of years now, with https://reproducible-builds.org/docs/jvm/ as a key documentation

A few years ago, we managed to improve JVM build tools to be able to do Reproducible Builds: next step has been to check that OSS projects apply Reproducible Builds in their builds
=> I created "Reproducible Central" to gather success and remaining issues of RB applied to popular JVM OSS: results are published https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/README.md

I proposed a static badge using for projects to show in their GH source that they are reproducible: see for example https://github.com/apache/maven/blob/master/README.md

And I did a few talks at various conferences to promote Reproducible Builds, particularly done with Apache Maven as an Apache Software Foundation member and maintainer of Maven: https://fr.slideshare.net/slideshow/coc-na-2023-reproducible-builds-for-the-jvm-and-beyondpptx/261996375

What information is this badge communicating to users?

The new badge I'm submitting here is the next level of all this journey: it will permit for projects not only to have a badge for their build, but go one step beyond and see the reproducibility status of their dependencies

I did a first proof of concept of that next step, based on badge endpoint that I used until now: https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/reproducible-central.html

As you can see from this report, it lists all dependencies and for each dependency displays the reproducibility status as checked by Reproducible Central

The move from badge endpoint to service is what will permit to manage 404 = dependencies that have not been checked by Reproducible Central

With this type of badge, I can get more interest by everybody, because they'll want to check their dependencies, in addition to improve their own build

[chris48s]

Thanks. I'll aim to read this and get back to you with some comments tomorrow

[chris48s]

Thanks for the explanation.
Having read over the explanation and the code I feel like we have priorities that may be slightly aligned but also may be slightly conflicting here. Hopefully we can find common ground.

If we're going to take this on, it needs to exist in a form that:

• Conforms to our usual style conventions that we use across our services
• Is useful to a wider userbase i.e: Joe Random who maintains a java package might want to put this in their README, and the responses for different cases make sense in that context

It feels at the moment like you have decided what you want to show on https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/reproducible-central.html (or similar pages) and then submitted a PR that does that. However that might not be exactly the same as what makes sense outside that context.

Finally, this is also a bit of a tricky review for me we are fairly deep in the weeds of java/maven and it is not my wheelhouse so there might be some things that do make sense if you're in that world but are new to me. I wonder if @PyvesB might be able to give a second opinion on some of this stuff? You are at least closer to it than I am, I think.

[chris48s]

To help me understand if this is the right place for this, can you explain the score. If my package scores 10/13, what is the 10 and what is the 13?

[hboutemy]

the build has 13 output files, 10 have been successfully reproduced

[chris48s]

OK. I think I'd probably put this under the "analysis" category then.

[hboutemy]

what I loved about dependencies is that the new dynamic badge is useful in dependencies use case = my project has many dependencies
analysis looks like I'm looking at the analysis of my project = not what will be the use case for this badge

[chris48s]

Lets go back to "what does this score mean?"

My interpretation of what you've said

the build has 13 output files, 10 have been successfully reproduced

is that those 13 output files are all intrinsic to the package (i.e: this package that has 13 output files might depend on zero other packages and produce 13 output files).

If metric is actually "this package depends on 13 other packages, 10 of which are reproducible" then "dependencies" makes sense as a category.

[chris48s]

What is a ga? Also a gav? Are these terms that make sense to someone in the java/maven ecosystem?

[hboutemy]

yes, they make sense in JVM/Java/Maven ecoystem

[hboutemy]

If we're going to take this on, it needs to exist in a form that:

• Conforms to our usual style conventions that we use across our services

I updated the code, I think it is now ok: please tell me if anything still looks weird

• Is useful to a wider userbase i.e: Joe Random who maintains a java package might want to put this in their README, and the responses for different cases make sense in that context

I understand the expectation, fully legitimate.

This goes back to the category: dependency.
This badge is intended to rate a Maven Central component's Reproducible Builds status when it is used as a dependency: as such, it won't be used in a readme of a project: for project's readme, I already have project-scoped badges that perfectly works without dynamic badge, see for example a few README that use it:

• simple "mono module" projects like https://github.com/codehaus-plexus/plexus-utils
• more complex "multi-module" projects like https://github.com/codehaus-plexus/modello

Each time, to understand the details of the meaning of the rating, following the link from the badge is key: the linked page explains what is necessary to the user (the number of modules of the project and detailed info on reproducible builds for each release of the project)

so project badge is ok without this PR, and already used in READMEs

this PR is about the big next step: reporting on a project when it is consumed by another project, aka. when it's used as a dependency
I have my own use case with the dependencies report https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/reproducible-central.html
Someone else from the Reproducible Central has another use case where he did his own badge for a use case when the dependency is being proposed for upgrade by Renovate bot: see jvm-repo-rebuild/reproducible-central#421 for his explanations, and his example PhilippHeuer/renovate-test#8 (see the "Reproducible" column)
The badge from this PR should be used once it is available
Each time it is about evaluating a dependency, this badge makes sense.

[chris48s]

Thanks. I like this latest draft. I've left a few comments but I think this is quite close to merging.

[github-actions]

🚀 Updated review app: https://pr-10705-badges-shields.fly.dev

[chris48s]

Thanks. This latest version looks good. Before I go ahead and approve/merge this I am going to leave it open for a couple of days in case @PyvesB is able to give it a look. A once over from someone who actually codes a bit of java would be useful if possible. If not, I'll just go ahead and merge it next week.

[hboutemy]

thanks for the great help: the review improved the solution a lot, that's awesome

[PyvesB]

Sorry, busy period. Will try to take a look in the coming days!

[PyvesB]

Everything seems pretty reasonable to me. Thanks to both of you for the great work!

[hboutemy]

FYI, I just updated the report to use the new dynamic badge https://maven.apache.org/plugins-archives/maven-artifact-plugin-LATEST/reproducible-central.html
great result, thanks for your help