thank you Aman,
hi level view of results:
https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/commons-daemon/README.md
reading release instructions
https://github.com/apache/commons-daemon/blob/master/HOWTO-RELEASE.txt
IIUC, a Windows machine is expe
it would be more a feature request = "build SPDX output in a reproducible way"
for now, I generally ignore SPDX output when checking rebuild output: I do not
have time to contribute more to spdx-maven-plugin
Regards,
Hervé
On 2025/01/24 13:19:53 Gary Gregory wrote:
> Piotr,
>
> Is there at le
On 2025/01/10 08:38:57 "Piotr P. Karwasz" wrote:
> Hi,
>
> On 10.01.2025 00:04, Herve Boutemy wrote:
> > -0
> >
> > as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong
> > component hash in SBOM (in this case, it's one dependenc
On 2025/01/10 01:32:55 Gary Gregory wrote:
> On Thu, Jan 9, 2025 at 6:05 PM Herve Boutemy wrote:
> >
> > -0
> >
> > as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong
> > component hash in SBOM (in this case, it's one dependency: commons-
> Are you sure install is not needed with multi-module builds?
yes: this issue existed sometimes with Maven 2
but starting with Maven 3, reactor inter-module resolution works flawlessly
Regards,
Hervé
On 2025/01/09 23:56:38 sebb wrote:
> On Thu, 9 Jan 2025 at 23:04, Herve Boutemy
-0
as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong component
hash in SBOM (in this case, it's one dependency: commons-codec)
When I read
> Built using: mvn clean install site -s "$HOME/.m2/commons-settings.xml"
install should seriously be avoided when voting, but verify or pa
+1
no issue detected while checking Reproducible Builds for this one: I suppose
it's just because there is no CycloneDX output, then the local repository issue
remains undetected :)
for people rebuilding and voting, checking the output of your local rebuild
against staged content can be very si
notice: when I read the instructions, promoting
> mvn install -DskipTests -P japicmp japicmp:cmp
is exactly the type of action that can lead to local repository containing
non-official binaries
you should not promote install but package or verify
Regards,
Hervé
On 2025/01/08 13:21:25 Gary Gre
-0
I checked Reproducible Builds for this RC (see history for previous releases
[1])
And I got differences on 2 files: commons-release-plugin-1.9.0-cyclonedx.xml
commons-release-plugin-1.9.0-cyclonedx.json
looking at diff, it seems the release was built with local dependencies
different from w
Hi team,
I'm happy to have people like you trying to rebuild and compare: your feedback
on your experience is very valuable.
Here are a few remarks on this thread:
- if you want to rebuild and *compare against a remote repository* (be it a
SNAPSHOT or a release), you absolutely need to *avoid
10 matches
Mail list logo
