tadfisher
commented
3 years ago The problem this project solves is that Gradle deals only in dependencies, when what we want is artifacts.
Dependencies are generally Maven coordinates (group, module, version, and optionally classifier and type), and artifacts are the actual files needed to build the project or resolve further dependencies (Java JARs, Maven POMs, Ivy XML descriptors, and/or Gradle module metadata files).
Gradle locks dependency information, sure, but the process of resolving dependencies into artifacts is terribly complex. Moreover, resolution is impossible to reproduce in Nix, because a project can modify the resolution process with arbitrary code!
So while lockfiles are useful for other build systems such as Cargo or Yarn, they're not much use to us as they don't map 1:1 with the actual JARs you end up with on Gradle's classpath. So we need to coax Gradle itself to give us the artifact set after it has been resolved, and try to trace those artifacts back to URLs along with their hashes so we can later create a reproducible Maven/Ivy repository that Gradle can use to build the project in a Nix sandbox.
But now that I look into it, recent Gradle versions support dependency verification, which we may be able to abuse to produce something analogous to a lockfile for artifacts. I'll report back on this.
zsiegel
Hi there
I was reading about this project as I started to explore reproducible gradle builds.
I read the readme and understand (I think) how this package intends to function.
I am curious if enforcing the use of Gradle lockfiles would eliminate the need for the network based dependency tracking?
I was planning to use the single lockfile approach to ensure my gradle builds are reproducible before even attempting to integrate it into a Nix pkg but was curious if you have any thoughts on this?
Thank you for this project I will dig in further!