In a recent post, Piotr suggested the following: > Could you also add a "release-verify" profile so that running: > > ./mvnw -P release-verify -Dreference.repo= https://repository.apache.org/content/repositories/orgapachelogging-1113 > > verifies that: > 1. builds are reproducible, > 2. signatures match.
I had a talk with him and we decided to not proceed with adding these features: 1. In the case of reproducibility check... The amount of boilerplate we will be adding doesn't justify the convenience that will potentially be provided to the user. That is, `./mvnw clean verify artifact:compare -Dreference.repo=...` vs `./mvnw -P release-verify -Dreference.repo=...` – the win is negligible. 2. The verification will be against the unofficial Nexus artifacts, not the official ASF SVN uploads. 3. The verification will use local+public key stores, not the `KEYS` file. 4. We don't know of a practical way (i.e., without needing to boil oceans) to validate signatures of artifacts at a particular remote URL. There is `pgpverify-maven-plugin`, but it doesn't accept a repo argument. 5. Can we at least determine the Nexus URL during `deploy` so we don't need to manually correct it every time? Not that we know of. Sonatype's `nxrm3-maven-plugin` provides a tagging feature (which indeed influences the URL), though it only works against Nexus 3 and ASF uses Nexus 2.
