On Fri, 1 May 2026 at 09:30, Alex Herbert <[email protected]> wrote:
> The commons release plugin includes this helper note: > > --- > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > --- > > However there are some caveats: > > 1. The timezone must match. > 2. The JDK must match the one used for the release build. > > I suggest the instructions be updated with this information, e.g. > > --- > # Use JDK 11 > export TZ="Europe/London" > --- > > I believe the timezone may be solved by always building our releases using > the TZ=UTC. But the correct JVM is still required. > > Thoughts on this? > > Alex > > A test on a modified release plugin (uses ${java.version} and ${user.timezone}): --- # Verify using a JDK major version matching: 17.0.17 export TZ="Europe/London" mvn clean verify artifact:compare -DskipTests -Dreference.repo= https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json' --- This will be appropriate as long as the VOTE mail is generated using the same JDK used for the release, within the same settings for the timezone. Alex
