DevOps

Making a Lockfile for Maven - Adam Kaplan, Red Hat

OpenSSF
OpenSSFJun 1, 2026

Why It Matters

Adopting lock files and the Maven plugin improves build reproducibility, dependency provenance and integrity, and helps prevent runtime failures from conflicting versions—strengthening Java supply-chain security and reliability.

Summary

Adam Kaplan of Red Hat outlined the need for formal lock files in Java builds and highlighted recent academic research defining what a good lock file should contain. The research identified three pillars: complete dependency documentation and provenance, integrity verification (typically checksums or signatures), and automatic, tool-generated use during builds. Maven, lacking a native lockfile, can now use a Chains project plugin from KTH to generate and validate lock files, produce frozen POMs, and include plugin dependencies to address complex multi-module and monorepo setups. Kaplan emphasized that the plugin integrates into standard POMs and build lifecycles to make reproducible, verifiable Java builds practical.

Original Description

Making a Lockfile for Maven - Adam Kaplan, Red Hat
Many package ecosystems produce a comprehensive list of dependencies known as a lockfile. These files serve several purposes, ranging from optimizing application assembly to verifying package integrity and ensuring reproducible builds. Newer package ecosystems such as npm, cargo, and go modules incorporated lockfiles in their designs from the start. More recently, the Python community adopted a lockfile standard that works across multiple packaging tools, and dnf is experimenting with its own lockfile standard for RPM packages.
Using recent academic research, this session will describe the key requirements for lockfiles and apply them to one of the most widely adopted package ecosystems: Apache Maven. Through the experiences of the Maven Lockfile Plugin project, you will learn the challenges of building a backwards-compatible lockfile and the barriers to generating complete Maven lockfiles in all situations. This session will conclude with other attempts within the Maven ecosystem to provide similar lockfile capabilities and the hurdles to making these features more widely adopted.

Comments

Want to join the conversation?

Loading comments...