Hi Alex, Thank you for the additional testing and reporting.
As a baseline, the VFS git master build is green on macOS, Windows, and Linux using Java 8, 11, and 17: https://github.com/apache/commons-vfs/actions where the current latest CI build for git master is https://github.com/apache/commons-vfs/actions/runs/3068521283 With VFS git master plus a local change to update to commons-parent from 53 to 54, I ran the default Maven goal from the command line ('mvn') on macOS using: Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) Maven home: /usr/local/Cellar/maven/3.8.6/libexec Java version: 1.8.0_345, vendor: Homebrew, runtime: /usr/local/Cellar/openjdk@8/1.8.0+345/libexec/openjdk.jdk/Contents/Home/jre Default locale: en_US, platform encoding: UTF-8 OS name: "mac os x", version: "12.6", arch: "x86_64", family: "mac" Darwin gdg-mac-mini.local 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64 My local build passed in about 12 minutes. Maybe you had a random failure or were not running from the command line. Some VFS tests won't run properly from IDEs because they depend on the old VFS testing framework still in place that relies on some JUnit 3 patterns. WRT SBOMS like CycloneDX and multi-module projects, I think we need to live with the growing pains for now. I just tested a single module component -- Commons Text -- and that worked and produced and installed the right files. TY! Gary On Tue, Sep 20, 2022 at 6:40 AM Alex Herbert <alex.d.herb...@gmail.com> wrote: > > Hi Gary, > > I tried VFS. On my mac it did not pass the unit tests: > > [*ERROR*] *Errors: * > > [*ERROR*] * > AbstractSftpProviderTestCase$SftpProviderTestSuite>AbstractTestSuite.run:239->AbstractTestSuite.lambda$run$0:234->setUp:235->AbstractTestSuite.setUp:268 > » FileSystem Could not connect to SFTP server at > "sftp://testtest@localhost:51426/".* > > [*ERROR*] * > SftpPermissionExceptionTestCase$1>AbstractTestSuite.run:239->AbstractTestSuite.lambda$run$0:234->AbstractSftpProviderTestCase$SftpProviderTestSuite.setUp:235->AbstractTestSuite.setUp:268 > » FileSystem Could not connect to SFTP server at > "sftp://testtest@localhost:51426/".* > > [*ERROR*] * > SftpProviderClosedExecChannelTestCase$1>AbstractTestSuite.run:239->AbstractTestSuite.lambda$run$0:234->AbstractSftpProviderTestCase$SftpProviderTestSuite.setUp:235->AbstractTestSuite.setUp:268 > » FileSystem Could not connect to SFTP server at > "sftp://testtest@localhost:51426/".* > > [*ERROR*] * > SftpProviderStreamProxyModeTestCase$1>AbstractTestSuite.run:239->AbstractTestSuite.lambda$run$0:234->AbstractSftpProviderTestCase$SftpProviderTestSuite.setUp:235->AbstractTestSuite.setUp:268 > » FileSystem Could not connect to SFTP server at > "sftp://testtest@localhost:51426/".* > > I've never built this project before so I do not know if this is just a > flaky build. FYI: > > *Apache Maven 3.6.3 (cecedd343002696d0abb50b32b541b8a6ba2883f)* > > Maven home: /usr/local/apache-maven-3.6.3 > > Java version: 11.0.12, vendor: Eclipse Foundation, runtime: > /Library/Java/JavaVirtualMachines/temurin-11.jdk/Contents/Home > > Default locale: en_GB, platform encoding: UTF-8 > > OS name: "mac os x", version: "11.5", arch: "x86_64", family: "mac" > > I tried on linux where 'mvn install' ran OK (it took ~14 minutes). Here it > worked OK. The CycloneDX plugin creates a bom for each project module in > every module target directory, e.g. > > ./commons-vfs2-jackrabbit2/target/commons-vfs2-2.10.0-SNAPSHOT-bom.xml > ./commons-vfs2-jackrabbit2/target/commons-vfs2-project-2.10.0-SNAPSHOT-bom.xml > > ./commons-vfs2-jackrabbit2/target/commons-vfs2-examples-2.10.0-SNAPSHOT-bom.xml > > ./commons-vfs2-jackrabbit2/target/commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.xml > > ./commons-vfs2-jackrabbit2/target/commons-vfs2-jackrabbit1-2.10.0-SNAPSHOT-bom.xml > > ./commons-vfs2-jackrabbit2/target/commons-vfs2-distribution-2.10.0-SNAPSHOT-bom.xml > > When installed the local maven repository only contains: > > commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-cyclonedx.json > commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-cyclonedx.xml > > The installed file matches > commons-vfs2-jackrabbit2-2.10.0-SNAPSHOT-bom.xml. A quick check in the > other modules and it is the same. The bom matching the module name matches > the installed cylonedx file in the maven repo. So here I think the > plugin is working correctly. > > I tried Commons Numbers again on linux and got the same result (an error > installing on the first module). So this may require some work on a minimal > multi-module project to find out what is causing the issue. Note that on > the projects I tried (RNG, Numbers, Statistics) they all have a first > module that does not include any dependencies. I added one with a test case > to exercise the code using the dependency but the install error still > occurred. All these projects have the same multi-module structure and so I > can investigate what is different between these and VFS. > > Alex > > > On Tue, 20 Sept 2022 at 00:52, Gary Gregory <garydgreg...@gmail.com> wrote: > > > Hi Alex, > > > > Thank you for the review. > > > > - .gitattributes: Yes let's do that for the next release. In addition, > > there has been talk about this and recent changes around these types of > > files on the Maven mailing list but we can and should handle these in our > > parent POM for now. > > > > - CycloneDX: At the time I integrated this, I tested with Commons VFS and > > nothing broke but it is unfortunate that the plugin does some odd things in > > a multi module project. Would report this as an issue to CycloneDX? > > > > In general, and in light of security issues in the software ecosystem, I > > think that providing these metadata is important, so I am willing to go > > through some of the growing pains but handling multi-module projects needs > > to get fixed upstream in CycloneDX. > > > > Gary > > > > > > On Mon, Sep 19, 2022, 17:07 Alex Herbert <alex.d.herb...@gmail.com> wrote: > > > > > Cloned and installed locally from the git tag. > > > > > > I updated Commons RNG to use parent 54 and tested with: > > > > > > mvn clean package > > > > > > I had to add '.gitattributes' to a list of excluded files for the > > > apache-rat plugin. Not a blocker but this could be moved to > > commons-parent. > > > > > > The new bill of materials generated by CycloneDX is generated for all > > > modules and appears in the target directory. But there seems to be an > > issue > > > with this process. > > > > > > I tested a release: > > > > > > mvn -Dcommons.release.dryRun=true -Ptest-deploy -Prelease clean verify > > > deploy > > > > > > Here I get an error message from the install for the CycloneDX bom. > > > > > > [*ERROR*] Failed to execute goal > > > org.apache.maven.plugins:maven-install-plugin:2.5.2:install > > > *(default-install)* on project commons-rng-client-api: *Failed to install > > > artifact > > > org.apache.commons:commons-rng-client-api:xml:cyclonedx:1.5-SNAPSHOT: > > > > > > > > /Users/ah403/git/commons-rng/commons-rng-client-api/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml > > > (No such file or directory)* -> *[Help 1]* > > > > > > The bom files are: > > > > > > ./target/commons-rng-parent-1.5-SNAPSHOT-bom.xml > > > > > > > > ./commons-rng-client-api/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml > > > > > > ./commons-rng-core/target/commons-rng-simple-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-core/target/commons-rng-core-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-core/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-core/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-core/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml > > > > > > ./commons-rng-simple/target/commons-rng-simple-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-simple/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-simple/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-simple/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml > > > > > > ./commons-rng-sampling/target/commons-rng-client-api-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-sampling/target/commons-rng-sampling-1.5-SNAPSHOT-bom.xml > > > ./commons-rng-sampling/target/commons-rng-parent-1.5-SNAPSHOT-bom.xml > > > > > > > > > For some reason the CycloneDX bom for commons-rng-parent is placed in the > > > target directory for all the child modules except commons-rng-client-api. > > > So the install fails on this module. > > > > > > I do not know what is different about this module. It has no dependencies > > > other than commons-rng-parent. The other modules are all dependent on it. > > > It seems to be the issue that it is the first child module. > > > > > > A simpler multi-module project is Commons Statistics. It only has one > > child > > > module. This works with CP 54 for 'mvn verify -Dspotbugs.skip -Dpmd.skip' > > > (I did not suppress 'new' bugs found by an upgraded spotbugs and a weird > > > PMD runtime error) but fails for 'mvn install -Dspotbugs.skip -Dpmd.skip' > > > for the same error. So it seems in the first child module of the > > > multi-module project the parent bom is not copied by cyclone DX. > > > > > > As a final test I tried with Commons Numbers. This again works for 'mvn > > > verify' but not 'mvn install' with the same issue. The first child module > > > is missing the bom for the parent module. Other child modules appear to > > > have a bom for all their dependencies. > > > > > > I see that you did revert the Cyclone DX version to an earlier version > > due > > > to issues with building the parent POM. So perhaps this is another bug in > > > CycloneDX for multi-module builds. > > > > > > This is not a blocker as the plugin can simply be disabled. However it is > > > not ideal as this plugin is meant to add traceability to the build and > > > currently it does not work for multi-module projects as configured. > > > > > > Alex > > > > > > > > > On Sun, 18 Sept 2022 at 22:39, Bruno Kinoshita <ki...@apache.org> wrote: > > > > > > > [x] +1 Release these artifacts > > > > > > > > Thanks! > > > > > > > > On Mon, 19 Sept 2022 at 03:47, Gary Gregory <garydgreg...@gmail.com> > > > > wrote: > > > > > > > > > We have fixed a few bugs and added enhancements since Apache Commons > > > > > Parent 53 was released, so I would like to release Apache Commons > > > > > Parent 54. > > > > > > > > > > Apache Commons Parent 54 RC1 is available for review here: > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1 > > > > > (svn revision 56878) > > > > > > > > > > The Git tag commons-parent-54-RC1 commit for this RC is > > > > > efd8232f4811706ad21bc3583e32d2473256b8d8 which you can browse here: > > > > > > > > > > > > > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-parent.git;a=commit;h=efd8232f4811706ad21bc3583e32d2473256b8d8 > > > > > You may checkout this tag using: > > > > > git clone https://gitbox.apache.org/repos/asf/commons-parent.git > > > > > --branch < > > > https://gitbox.apache.org/repos/asf/commons-parent.git--branch > > > > > > > > > > commons-parent-54-RC1 commons-parent-54-RC1 > > > > > > > > > > Maven artifacts are here: > > > > > > > > > > > > > > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1594/org/apache/commons/commons-parent/54/ > > > > > > > > > > These are the artifacts and their hashes: > > > > > > > > > > #Release SHA-512s > > > > > #Sun Sep 18 11:32:16 EDT 2022 > > > > > Apache\ Commons\ > > > > > > > > > > > > > > > > > > > Parent-54.spdx.rdf.xml=a5ca11505acdfefabc2bff44f52566220929d3f1b4b7164c9fea0adf4fcb8c04223f5e27089698615264e89a071400a72b19ffc54516343cacbfdeffcf3a7776 > > > > > > > > > > > > > > > > > > > commons-parent-54-bom.json=ce0bf440d926a725e840459034d59cfe9f9bfc5b9131bee087ed2e80859a8064a5efb2c8abeb9997b08ad8fe693b1a8587c38721cca7ff63701e1ee1407ac17c > > > > > > > > > > > > > > > > > > > commons-parent-54-bom.xml=2e2f29e1d26d9f5493ea83ea9707109f755fea41a16949f56438338875ee3e21c44a362d9f58c265bf43adb7a250647c463faa3275ba042eb8673686f6a29adf > > > > > > > > > > > > > > > > > > > commons-parent-54-site.xml=735ffceca46a0574d430b4e1213a2462b9475143c0788913312b8af117eaf3b7c02a075aaf6d9b30d2560822339651cb511b838f6c9f2bced46de1fc1227c5ff > > > > > > > > > > > > > > > > > > > commons-parent-54-src.tar.gz=7b800ea9fcb607e2e44dea906d203abdc4452872b207b4ae4229090c3e9dc471f53dea6515c487453eeb17aef833b7394ee00cb1a9edd424cfc7bb6860841e07 > > > > > > > > > > > > > > > > > > > commons-parent-54-src.zip=9b3674b54052c7b56e9f3b1fe5a8bdf6673007e2c1e9a9aff2491fefdc04554550a6725bc58fe92f3b417e1284e5a61b20004fbcf514f9df0e1ef832a56bc890 > > > > > > > > > > I have tested this with 'mvn -V -Duser.name=$my_apache_id > > > > > -Ddoclint=none -Prelease -Ptest-deploy clean package site deploy' > > > > > using: > > > > > > > > > > Apache Maven 3.8.6 (84538c9988a25aec085021c365c560670ad80f63) > > > > > Maven home: /usr/local/Cellar/maven/3.8.6/libexec > > > > > Java version: 1.8.0_345, vendor: Homebrew, runtime: > > > > > /usr/local/Cellar/openjdk@8 > > > > > /1.8.0+345/libexec/openjdk.jdk/Contents/Home/jre > > > > > Default locale: en_US, platform encoding: UTF-8 > > > > > OS name: "mac os x", version: "12.6", arch: "x86_64", family: "mac" > > > > > > > > > > Darwin ***.local 21.6.0 Darwin Kernel Version 21.6.0: Mon Aug 22 > > > > > 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64 x86_64 > > > > > > > > > > Details of changes since 53 are in the release notes: > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/RELEASE-NOTES.txt > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/changes-report.html > > > > > > > > > > Site: > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/index.html > > > > > (note some *relative* links are broken and the 54 directories are > > > > > not yet created - these will be OK once the site is deployed.) > > > > > > > > > > RAT Report: > > > > > > > > > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/commons-parent/54-RC1/site/rat-report.html > > > > > > > > > > KEYS: > > > > > https://www.apache.org/dist/commons/KEYS > > > > > > > > > > Please review the release candidate and vote. > > > > > This vote will close no sooner than 72 hours from now. > > > > > > > > > > [ ] +1 Release these artifacts > > > > > [ ] +0 OK, but... > > > > > [ ] -0 OK, but really should fix... > > > > > [ ] -1 I oppose this release because... > > > > > > > > > > Thank you, > > > > > > > > > > Gary Gregory, > > > > > Release Manager (using key 86fdc7e2a11262cb) > > > > > > > > > > For following is intended as a helper and refresher for reviewers. > > > > > > > > > > Validating a release candidate > > > > > ============================== > > > > > > > > > > These guidelines are NOT complete. > > > > > > > > > > Requirements: Git, Java, Maven. > > > > > > > > > > You can validate a release from a release candidate (RC) tag as > > > follows. > > > > > > > > > > 1) Clone and checkout the RC tag > > > > > > > > > > git clone https://gitbox.apache.org/repos/asf/commons-parent.git > > > > > --branch commons-parent-54-RC1 commons-parent-54-RC1 > > > > > cd commons-parent-54-RC1 > > > > > > > > > > 2) Check Apache licenses > > > > > > > > > > This step is not required if the site includes a RAT report page > > which > > > > > you then must check. > > > > > > > > > > mvn apache-rat:check > > > > > > > > > > 3) Build the package > > > > > > > > > > mvn -V clean verify > > > > > > > > > > You can record the Maven and Java version produced by -V in your VOTE > > > > > reply. > > > > > To gather OS information from a command line: > > > > > Windows: ver > > > > > Linux: uname -a > > > > > > > > > > 4) Build the site for a single module project > > > > > > > > > > Note: Some plugins require the components to be installed instead of > > > > > packaged. > > > > > > > > > > mvn site > > > > > Check the site reports in: > > > > > - Windows: target\site\index.html > > > > > - Linux: target/site/index.html > > > > > > > > > > -the end- > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
