-0 I checked Reproducible Builds for this RC (see history for previous releases [1]) And I got differences on 2 files: commons-release-plugin-1.9.0-cyclonedx.xml commons-release-plugin-1.9.0-cyclonedx.json
looking at diff, it seems the release was built with local dependencies different from what is in Maven Central: - pkg:maven/org.apache.commons/commons-collections4@4.5.0-M3?type=jar - pkg:maven/commons-codec/commons-codec@1.17.2?type=jar If you look at your local repository, you'll find different hashes from what is in Maven Central You should clean your local repository, as it seems it contains local rebuilds different from official releases This is the only reproducibility issue: it means you don't really need to drop the Git tag But just drop the staging repository and rebuild and deploy to a new staging repository Don't hesitate to ping me if you want more details Regards, Hervé [1] https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/commons-release-plugin/README.md rebuilding instructions (on Linux or Mac, with Docker) = 1. bin/add-new-release.sh content/org/apache/commons/commons-release-plugin/commons-release-plugin-1.8.3.buildspec 1.9.0 staging 2. edit generated buildspec to adapt the Git tag value to the transient RC1 suffix 3. ./rebuild.sh content/org/apache/commons/commons-release-plugin/commons-release-plugin-1.9.0.buildspec staging On 2025/01/08 13:21:25 Gary Gregory wrote: > We have fixed a few bugs and added enhancements since Apache Commons > Release Plugin 1.8.3 was released, so I would like to release Apache > Commons Release Plugin 1.9.0. > > The main change is an update to commons-parent which picks up the > upgrade from Doxia 1 to 2. > > Apache Commons Release Plugin 1.9.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1 > (svn revision 74042) > > The Git tag commons-release-plugin-1.9.0-RC1 commit for this RC is > 20e1a83cb2a0b6c453cb2d337732b2032a47041f which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-release-plugin.git;a=commit;h=20e1a83cb2a0b6c453cb2d337732b2032a47041f > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-release-plugin.git > --branch commons-release-plugin-1.9.0-RC1 > commons-release-plugin-1.9.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1801/org/apache/commons/commons-release-plugin/1.9.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Wed Jan 08 13:15:23 UTC 2025 > commons-release-plugin-1.9.0-bin.tar.gz=baad3a70b2d3f42b1fa128521a69e2a49bd7b19984188387f9b7d71347943657b83a97f97cc1c08b23af1d35473c09c48b3492de20f0e7e89fee1a14e914198a > commons-release-plugin-1.9.0-bin.zip=e330e1526698148a2a1a90bbf277795270bae7b7157f9823076dfb7888aca474cc7a4234da0caa21f69cf36ba45308cb8b2e1aa3b3e9e0a62c0ec7aee18a2fe1 > commons-release-plugin-1.9.0-bom.json=dafbc05277a352eb4bedd32d121e87edc2735c123e3da8aa96c083bc8bbd7127bc4ac25ac8d9f227edd5785431a5a5b53e562bf775d62f355dc932bde4a3b10e > commons-release-plugin-1.9.0-bom.xml=70dfef46bf9eefb3d2e6bdb2dc114ae883feff44e48ea28e849fd4775922cacf095f7a868424df17eef789ddc6a7b2663801a5ee58b44a549a936a217b44bb14 > commons-release-plugin-1.9.0-javadoc.jar=f1db0eda8c4b4ffb9ba8e37ee069989732157ea2c4f091fec2e66b0b602b90cb029d3d46760de36c3a435b856b153d433f2d9d94d61e3b06340fb1d3453ef3bb > commons-release-plugin-1.9.0-sources.jar=ce1994f16de73ad8c984959f99942640e4d8a1e4f13216fae7e3fc899d98180fb2e320a9c06cd3541807ee06c112eaebbc7a305964cfd7b9a18abaf122e0be1a > commons-release-plugin-1.9.0-src.tar.gz=01a4c73518ac5153a687581664674fdd04d8191f4c65c0b028535ee55c12e26d6eded0b8485aacb7f87c544fe5c4e4a7c1283b3da38a2b5bbcd97d7e5442ee91 > commons-release-plugin-1.9.0-src.zip=eb8004341d7b1031f072c39938576becc8b4fb1a986f9c62e5e8aa6bea3068addf7b61a62b01f00d9e7080c7ad7b84c7fdaf01c5362d418f8d245d4fcb9ec759 > commons-release-plugin-1.9.0-test-sources.jar=274cdf43775d0d8aaa2d44964d5ceb1026ec4050a32e73af29360f7b32d67819d5644012a952634e7c0ad18bd77ea5886bbf60cc825d075d41b7d6d16a3feb73 > commons-release-plugin-1.9.0-tests.jar=0dfc4ae35a60b326a88d6ace84a7f8e659235d68c6fd7d86f9afb93e5034de889df2c2c19966be4dbae8bacff2a9cc0c39e952059c8a5691d2eb1f70532b0fad > org.apache.commons_commons-release-plugin-1.9.0.spdx.json=3eefb51cc97b5d3a6d9a092e2a0b7a0e410eba40d9972b4b045327b0e7dba27a88c733f957c76916e208537975bc27f3402edad419bf7780c622cea4ae7de1fd > > > I have tested this with 'mav' and 'mvn -e -V -P release -P test-deploy > -P jacoco -P japicmp clean package site deploy' using: > > openjdk version "17.0.13" 2024-10-15 > OpenJDK Runtime Environment Homebrew (build 17.0.13+0) > OpenJDK 64-Bit Server VM Homebrew (build 17.0.13+0, mixed mode, sharing) > > Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) > Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec > Java version: 17.0.13, vendor: Homebrew, runtime: > /opt/homebrew/Cellar/openjdk@17/17.0.13/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "15.2", arch: "aarch64", family: "mac" > > Darwin ****.local 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 > 19:03:40 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6041 arm64 > Docker version 27.3.1, build ce12230 > > Details of changes since 1.8.3 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/site/index.html > (note some *relative* links are broken and the 1.9.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 1.8.3): > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Clone and checkout the RC tag > > git clone https://gitbox.apache.org/repos/asf/commons-release-plugin.git > --branch commons-release-plugin-1.9.0-RC1 > commons-release-plugin-1.9.0-RC1 > cd commons-release-plugin-1.9.0-RC1 > > 1b) Download and unpack the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/release-plugin/1.9.0-RC1/source > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > > mvn apache-rat:check > > 3) Check binary compatibility > > Older components still use Apache Clirr: > > This step is not required if the site includes a Clirr report page > which you then must check. > > mvn clirr:check > > Newer components use JApiCmp with the japicmp Maven Profile: > > This step is not required if the site includes a JApiCmp report page > which you then must check. > > mvn install -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
