Feature Request: Repository Identifiers in lockfile

[adambkaplan]

In order to reproduce/regenerate a Maven repository from a lockfile, each GAV-ed artifact needs the following:

1. The artifact (log4j-1.4.1.jar)
2. The artifact checksum (log4j-1.4.1.jar.sha1)
3. The artifact POM (log4j-1.4.1.pom)
4. The artifact POM checksum (log4j-1.4.1.pom.sha1)
5. The _remote.repository file.

The latter (_remote.repository) is an internal implementation detail of Maven used to track the source of the dependencies, and looks like this:

#NOTE: This is a Maven Resolver internal implementation file, its format can be changed without prior notice.
#Tue May 20 10:52:25 EDT 2025
commons-text-1.13.1.jar>central=
commons-text-1.13.1.pom>central=

...where central is the ID of the Maven repository used to pull the artifact.

I think it makes sense for the lockfile to do the following:

1. For each artifact, include a field that references the source repository by its ID.
2. Include in the metadata (perhaps as a separate JSON object) the list of repositories and their settings (url, layout, etc.)

[LogFlames]

Hi,
Thank you for the issues!

1. We already read the _remote.repositories file to produce the "resolved" url, and including the repository ID sounds very reasonable.
2. Would the metadata need more information than is provided in the pom.xml? If we were to add the pom-checksum from Lockfile should include link to pom and checksum of pom #1064 , would that information suffice?

[adambkaplan]

Would the metadata need more information than is provided in the pom.xml? If we were to add the pom-checksum from Lockfile should include link to pom and checksum of pom #1064 , would that information suffice?

My intent here is for the lockfile to provide enough information that an equivalent <repositories> element could be added to the pom.locked.xml. I believe this is supported in Maven's guide for multiple repositories