Re: [VOTE] Release Apache Log4j `2.24.0`

2024-09-04 Thread Christian Grobmeier 


On Tue, Sep 3, 2024, at 21:51, Gary Gregory wrote:
> From my point of view, building has gotten worse and less reliable over
> time :-(

To be fair, the new build system was, at least for me, welcoming and 
straightforward to use. Although complex under the hood, it’s a major 
improvement over the build system we had in log4j1 (like Stone Age to 
enterprise) and also lots better than the various documents with different 
content we had with early log4j2

I am not sure why it did not build on your machine but on the others, but it is 
certainly worth to improve the system we have today. 

I see a trend within this team that only few people push forward changes like 
maintaining the build. I think it would be beneficial if others would learn 
more about how it works and the details so everyone can provide patches.

Volkan already offered to help. If there is more interest we maybe could have 
video training session on the details, assuming Volkan would be willing to do 
this as well. I would be certainly interested in this.

Cheers 

> My -1 vote reflects this.
>
> Gary
>
> On Tue, Sep 3, 2024, 2:55 PM Volkan Yazıcı  wrote:
>
>> Gary, do you know what is the difference between RC1 and RC2? Nothing.
>> Piotr only kindly added a one-liner condition check to the contending
>> (FQDN-related) test to make it up to you. That is the only difference –
>> plus, he updated the review kit (shared in the email) to avoid the
>> reproducibility check on Windows. Put another way, RC1 is effectively
>> identical to RC2, bit by bit.
>>
>> My point is, 3 people verified the release and CI runs passed on all 3
>> platforms – there is definitely something unexpected in your setup. As you
>> know better, issuing an RC is a time and energy consuming task. Besides RM,
>> other voters put effort into it too. Would you mind asking for further help
>> instead of downvoting a release due to local failures, please? I would have
>> been more than happy to assist you in a video call, instead of re-issuing
>> the whole release.
>>
>> On Tue, Sep 3, 2024 at 4:04 PM Gary D. Gregory 
>> wrote:
>>
>> > -1
>> >
>> > On Windows, I deleting my entire .m2/repository folder and then ran
>> >
>> > mvnw -Prelease clean verify artifact:compare
>> -Dreference.repo=%NEXUS_REPO%
>> >
>> > and got:
>> >
>> > [INFO] Minimal buildinfo generated from downloaded artifacts:
>> >
>> C:\Users\ggregory\rc\2.24.0\src\target\reference\log4j-bom-2.24.0.buildinfo
>> > [ERROR] size mismatch log4j-bom-2.24.0.pom: investigate with diffoscope
>> > target\reference\org.apache.logging.log4j\log4j-bom-2.24.0.pom
>> > .flattened-pom.xml
>> > [ERROR] size mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate with
>> > diffoscope
>> > target\reference\org.apache.logging.log4j\log4j-bom-2.24.0-cyclonedx.xml
>> > target\bom.xml
>> > [ERROR] Reproducible Build output summary: 0 files ok, 2 different
>> > [ERROR] see diff target\reference\log4j-bom-2.24.0.buildinfo
>> > target\log4j-bom-2.24.0.buildinfo
>> > [ERROR] see also
>> > https://maven.apache.org/guides/mini/guide-reproducible-builds.html
>> > [INFO] Reproducible Build output comparison saved to
>> > C:\Users\ggregory\rc\2.24.0\src\target\log4j-bom-2.24.0.buildcompare
>> > [INFO] Aggregate buildcompare copied to
>> > C:\Users\ggregory\rc\2.24.0\src\target\log4j-bom-2.24.0.buildcompare
>> > [INFO]
>> > 
>> > [INFO] Reactor Summary for Apache Log4j BOM 2.24.0:
>> > [INFO]
>> > [INFO] Apache Log4j BOM ... FAILURE
>> [02:58
>> > min]
>> > [
>> >
>> > So I give up after trying macOS, Linux, and Windows.
>> >
>> > Gary
>> >
>> > On 2024/09/03 13:23:59 "Gary D. Gregory" wrote:
>> > > Note that I add "clean" *(why does the kit not use "clean"?)
>> > >
>> > > mvnw -Prelease clean verify artifact:compare
>> -Dreference.repo=$NEXUS_REPO
>> > >
>> > > Gary
>> > >
>> > > On 2024/09/03 13:21:32 "Gary D. Gregory" wrote:
>> > > > It's fails differently on Ubuntu:
>> > > >
>> > > > ...
>> > > > [INFO] --- artifact:3.5.1:compare (default-cli) @ log4j-api ---
>> > > > [WARNING]  property is inherited from
>> > outside the reactor, it should be defined in parent POM from reactor
>> > /mnt/c/Users/ggregory/rc/2.24.0/src/.flattened-pom.xml
>> > > > [INFO] Reference buildinfo file not found: it will be generated from
>> > downloaded reference artifacts
>> > > > [INFO] Reference build java.version: 17 (from MANIFEST.MF
>> > Build-Jdk-Spec)
>> > > > [INFO] Reference build os.name: Unix (from pom.properties newline)
>> > > > [INFO] Minimal buildinfo generated from downloaded artifacts:
>> >
>> /mnt/c/Users/ggregory/rc/2.24.0/src/log4j-api/target/reference/log4j-api-2.24.0.buildinfo
>> > > > [ERROR] sha512 mismatch log4j-api-2.24.0-sources.jar: investigate
>> with
>> > diffoscope
>> >
>> log4j-api/target/reference/org.apache.logging.log4j/log4j-api-2.24.0-sources.jar
>> > log4j-api/target/log4j-api-2.24.0-sources.jar
>> > > > [ERROR] Reproducibl

Re: [VOTE] Release Apache Log4j `2.24.0`

2024-09-04 Thread Ralph Goers 
Personally, I would appreciate a document I can read that documents the build 
process. Even though I am sure it is all Maven plugins of some kind it isn’t 
unusual for the order and configuration of the plugins to be important.

I’d really like to know what I need to do to get it to work for some existing 
project or a brand new one.

Ralph

> On Sep 4, 2024, at 3:56 AM, Christian Grobmeier  wrote:
> 
> 
> On Tue, Sep 3, 2024, at 21:51, Gary Gregory wrote:
>> From my point of view, building has gotten worse and less reliable over
>> time :-(
> 
> To be fair, the new build system was, at least for me, welcoming and 
> straightforward to use. Although complex under the hood, it’s a major 
> improvement over the build system we had in log4j1 (like Stone Age to 
> enterprise) and also lots better than the various documents with different 
> content we had with early log4j2
> 
> I am not sure why it did not build on your machine but on the others, but it 
> is certainly worth to improve the system we have today. 
> 
> I see a trend within this team that only few people push forward changes like 
> maintaining the build. I think it would be beneficial if others would learn 
> more about how it works and the details so everyone can provide patches.
> 
> Volkan already offered to help. If there is more interest we maybe could have 
> video training session on the details, assuming Volkan would be willing to do 
> this as well. I would be certainly interested in this.
> 
> Cheers 
> 
>> My -1 vote reflects this.
>> 
>> Gary
>> 
>> On Tue, Sep 3, 2024, 2:55 PM Volkan Yazıcı > > wrote:
>> 
>>> Gary, do you know what is the difference between RC1 and RC2? Nothing.
>>> Piotr only kindly added a one-liner condition check to the contending
>>> (FQDN-related) test to make it up to you. That is the only difference –
>>> plus, he updated the review kit (shared in the email) to avoid the
>>> reproducibility check on Windows. Put another way, RC1 is effectively
>>> identical to RC2, bit by bit.
>>> 
>>> My point is, 3 people verified the release and CI runs passed on all 3
>>> platforms – there is definitely something unexpected in your setup. As you
>>> know better, issuing an RC is a time and energy consuming task. Besides RM,
>>> other voters put effort into it too. Would you mind asking for further help
>>> instead of downvoting a release due to local failures, please? I would have
>>> been more than happy to assist you in a video call, instead of re-issuing
>>> the whole release.
>>> 
>>> On Tue, Sep 3, 2024 at 4:04 PM Gary D. Gregory 
>>> wrote:
>>> 
 -1
 
 On Windows, I deleting my entire .m2/repository folder and then ran
 
 mvnw -Prelease clean verify artifact:compare
>>> -Dreference.repo=%NEXUS_REPO%
 
 and got:
 
 [INFO] Minimal buildinfo generated from downloaded artifacts:
 
>>> C:\Users\ggregory\rc\2.24.0\src\target\reference\log4j-bom-2.24.0.buildinfo
 [ERROR] size mismatch log4j-bom-2.24.0.pom: investigate with diffoscope
 target\reference\org.apache.logging.log4j\log4j-bom-2.24.0.pom
 .flattened-pom.xml
 [ERROR] size mismatch log4j-bom-2.24.0-cyclonedx.xml: investigate with
 diffoscope
 target\reference\org.apache.logging.log4j\log4j-bom-2.24.0-cyclonedx.xml
 target\bom.xml
 [ERROR] Reproducible Build output summary: 0 files ok, 2 different
 [ERROR] see diff target\reference\log4j-bom-2.24.0.buildinfo
 target\log4j-bom-2.24.0.buildinfo
 [ERROR] see also
 https://maven.apache.org/guides/mini/guide-reproducible-builds.html
 [INFO] Reproducible Build output comparison saved to
 C:\Users\ggregory\rc\2.24.0\src\target\log4j-bom-2.24.0.buildcompare
 [INFO] Aggregate buildcompare copied to
 C:\Users\ggregory\rc\2.24.0\src\target\log4j-bom-2.24.0.buildcompare
 [INFO]
 
 [INFO] Reactor Summary for Apache Log4j BOM 2.24.0:
 [INFO]
 [INFO] Apache Log4j BOM ... FAILURE
>>> [02:58
 min]
 [
 
 So I give up after trying macOS, Linux, and Windows.
 
 Gary
 
 On 2024/09/03 13:23:59 "Gary D. Gregory" wrote:
> Note that I add "clean" *(why does the kit not use "clean"?)
> 
> mvnw -Prelease clean verify artifact:compare
>>> -Dreference.repo=$NEXUS_REPO
> 
> Gary
> 
> On 2024/09/03 13:21:32 "Gary D. Gregory" wrote:
>> It's fails differently on Ubuntu:
>> 
>> ...
>> [INFO] --- artifact:3.5.1:compare (default-cli) @ log4j-api ---
>> [WARNING]  property is inherited from
 outside the reactor, it should be defined in parent POM from reactor
 /mnt/c/Users/ggregory/rc/2.24.0/src/.flattened-pom.xml
>> [INFO] Reference buildinfo file not found: it will be generated from
 downloaded reference artifacts
>> [INFO] Reference build java.version: 17 (from MANIFEST.MF
 Build-Jdk-Spec)
>>