Can't build jabref reproducibly

The dependencies solved by gradle is changing even though I locked it. I thought the reason is that snapshot versions of deps are used. Could you please don’t use snapshot at least in release? Is there any way to pin it? Thanks!

Hm, have you tried the dependency locking in gradle Locking dependency versions ?

Yes, I tried that. But it only locks dynamic version while snapshot is a changing version as said in the doc.

Dependency locking makes sense only with dynamic versions. It will have no impact on changing versions (like -SNAPSHOT) whose coordinates remain the same, though the content may change. Gradle will even emit a warning when persisting lock state and changing dependencies are present in the resolution result.

I see, however I don’t think it’s possible at the moment https://github.com/gradle/gradle/issues/8627

The only workaround is that you download the snapshot versions and put them in the libs folder.
Of course they have to be excluded in gradle deps

How about using 'com.github.sialcasa.mvvmFX:mvvmfx-validation:f195849ca9' from jitpack.io?

Thanks, that could work, will try this

I’ve created a PR:

1 Like

Can you test if this works for you?

I thought I need a gradle.lockfile. It can be generated with gradle dependencies --write-locks.

Okay, I added one. We just need to see how it works with dependabot and updating the deps.

I can’t build jabref on NixOS because openjdk 18 hasn’t been packaged yet. So I can’t test it, sorry.

Hi, 5.9 introduced 2 new deps with snapshot version. Could you please pin them to a commit? Thanks!