Hi team,
I'm happy to have people like you trying to rebuild and compare: your feedback
on your experience is very valuable.
Here are a few remarks on this thread:
- if you want to rebuild and *compare against a remote repository* (be it a
SNAPSHOT or a release), you absolutely need to *avoid "mvn install" first*,
because this install step completely dismisses the remote repository
a corollary is that you need to check your local repo (~/.m2/repository) and
eventually clean it
and sadly it's not easy for artifact:compare to detect if the reference file
comes from local mvn install or form a download from remote... I need to think
more about this: created https://issues.apache.org/jira/browse/MARTIFACT-58
- on the diffoscope output not being easy to analyze to know how to fix issues:
can you confirm me that the "artifact:compare" output is ok to read and
discover how to run diffoscope?
can you confirm that diffoscope output is ok to read, to see the diff (even if
you don't know yet how to fix the build to avoid that difference)?
on going from diff reading step to instructions on how to fix: given the very
diverse nature of issues that can lead to the difference, I don't see how to
make analysis easier than pure reader's experience
Piotr found the issue about the second run of bundle plugin and about moditect
1.1.0 sensitivity to TZ: I don't know how hard it was to learn this, nor how.
Do you have any idea on how to ease such discovery?
Any other feedback appreciated
Regards,
Hervé
On 2023/12/29 18:33:29 Gary Gregory wrote:
> TY Piotr!
>
> Putting your pieces together for a local Commons Compress, this works for me:
>
> export TZ=UTC
> mvn clean install
> mvn clean package artifact:compare \
> -Dreference.repo=apache.snapshots \
> -DskipTests \
> -Dcommons.spdx.version=0.7.1 -Dspdx.skip
>
> Gary
>
> On Fri, Dec 29, 2023 at 12:44 PM Piotr P. Karwasz
> wrote:
> >
> > Hi Gary,
> >
> > On Fri, 29 Dec 2023 at 15:11, Gary Gregory wrote:
> > > I run, copied from the
> > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec:
> > >
> > > mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip
> > > -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun
> > > -Dcommons.release.isDistModule=false
> > >
> > > Then:
> > >
> > > mvn package package artifact:compare
> >
> > Maven has a short guide to check reproducibility:
> > https://maven.apache.org/guides/mini/guide-reproducible-builds.html
> >
> > If you want to check a local artifact vs a previous local artifact you
> > need to use:
> >
> > mvn clean install
> > mvn clean package artifact:compare -DskipTests
> >
> > The first run install the artifact into the local Maven repo, the
> > second one generates new ones and compares them with those installed.
> >
> > To check local vs remote you just need the second part. I am able to
> > reproduce the current Commons Compress snapshot with:
> >
> > export TZ=UTC
> > export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
> > mvn clean package artifact:compare \
> > -Dreference.repo=apache.snapshots \
> > -DskipTests \
> > -Dcommons.spdx.version=0.7.1 -Dspdx.skip
> >
> > I have no idea how those snapshots are generated, but they match my
> > local ones. The last line bumps the SPDX Maven Plugin to a version
> > that supports `-Dspdx.skip` ;-)
> >
> > Piotr
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> > For additional commands, e-mail: dev-h...@commons.apache.org
> >
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
> For additional commands, e-mail: dev-h...@commons.apache.org
>
>
-
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
