Hi Gary, On Thu, 28 Dec 2023 at 16:03, Gary Gregory <garydgreg...@gmail.com> wrote: > What value for $NEXUS_REPO would one use to verify repro _after_ a > release? I want to experiment with Apache Commons components...
The `reference.repo` system variable is used by the `referenceRepo` parameter of `artifact:compare`: https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html with a default value of `central`, so you can skip setting the parameter. I can reproduce most of the artifacts in your latest Commons Fileupload release with this incantation: export TZ=UTC export JAVA_HOME=...path to JDK 17... mvn package artifact:compare \ -DskipTests \ -Dcyclonedx.skip \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip The Maven Artifact Plugin only compares those artifacts, which are attached to the current build, so skipping CycloneDX and SPDX generation effectively prevents performing a reproducibility check on those artifacts. This is not ideal, but: * SPDX has a lot of reproducibility problems, * CycloneDX is usually reproducible, but I am probably affected by issue#410 [2], * we actually only care about the binary artifacts and POMs, the rest is a bonus. Piotr [1] https://github.com/jvm-repo-rebuild/reproducible-central [2] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/410 PS: We are mixing threads from multiple lists. For those following dev@commons, NEXUS_REPO is a reference to this thread from dev@logging: https://lists.apache.org/thread/163ow0knp5q29hrsh1doqm3jwxkrzwoo --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
