On Sun, Sep 1, 2024 at 5:09 PM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi Gary, > > On Sun, 1 Sept 2024 at 23:00, Piotr P. Karwasz <piotr.karw...@gmail.com> > wrote: > > On Sun, 1 Sept 2024 at 22:44, Gary Gregory <garydgreg...@gmail.com> wrote: > > > [ERROR] sha512 mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate > > > with diffoscope > > > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml > > > target/bom.xml > > > > Could you investigate with `diff > > target/reference/org.apache.logging.log4j/log4j-bom-2.24.0-cyclonedx.xml > > target/bom.xml`? > > Since you are the main Release Manager of Apache Commons, try clearing > the local Maven cache (e.g. `~/.m2/repository/org/apache/commons`). It > is possible you have some unofficial Commons releases in your cache, > which breaks the reproducibility of the SBOM.
Yep, that helped! TY Piotr. rm -rf ~/.m2/repository/org/apache/commons sh mvnw -Prelease verify artifact:compare -Dreference.repo=$NEXUS_REPO Now I get: [INFO] Results: [INFO] [ERROR] Failures: [ERROR] NetUtilsTest.testCanonicalHostName:78 Expecting actual: "localhost" to contain: "." [INFO] [ERROR] Tests run: 2253, Failures: 1, Errors: 0, Skipped: 31 [INFO] ? Gary > > Piotr