Hi Gary, On Sun, 1 Sept 2024 at 23:00, Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > On Sun, 1 Sept 2024 at 22:44, Gary Gregory <garydgreg...@gmail.com> wrote: > > [ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate > > with diffoscope > > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml > > target/bom.xml > > Could you investigate with `diff > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml > target/bom.xml`?
Since you are the main Release Manager of Apache Commons, try clearing the local Maven cache (e.g. `~/.m2/repository/org/apache/commons`). It is possible you have some unofficial Commons releases in your cache, which breaks the reproducibility of the SBOM. Piotr