-0 as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong component hash in SBOM (in this case, it's one dependency: commons-codec)
When I read > Built using: mvn clean install site -s "$HOME/.m2/commons-settings.xml" install should seriously be avoided when voting, but verify or package And with mvn clean verify site -s "$HOME/.m2/commons-settings.xml" artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ any voter can get his own check that staging content matches his own rebuild output Regards, Hervé On 2025/01/08 14:01:28 Gary Gregory wrote: > We have fixed a few bugs and added enhancements since Apache Commons > CSV 1.12.0 was released, so I would like to release Apache Commons CSV > 1.13.0. > > Apache Commons CSV 1.13.0 RC1 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1 (svn > revision 74044) > > The Git tag commons-csv-1.13.0-RC1 commit for this RC is > f2f1cffe53cde4b36623403bdc27855cec01fac2 which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-csv.git;a=commit;h=f2f1cffe53cde4b36623403bdc27855cec01fac2 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-csv.git > --branch commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1802/org/apache/commons/commons-csv/1.13.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Wed Jan 08 13:52:37 UTC 2025 > commons-csv-1.13.0-bin.tar.gz=9928ba4d53401bd4010f8267cbb1ecc72bd601b002e3cf7d084a7f1378c7476cf669e54bd36655062dbd7aa9df445c893af7d04426b46c4c097634a30cc0cca2 > commons-csv-1.13.0-bin.zip=95564889cddfb7282f435eabceb22eb566507565d385da6f3f63ff822121b63b868bee71ad856227e88704c3832f195730dfd2aa222e04182fb185bc2e9c9e4f > commons-csv-1.13.0-bom.json=82851bffc898f281f3db36be064988b4c28cc9fc50514f4c5aa16bbbce531e177bb27b39e1828903ecdd5efa2cfa9959f8828b0335c913b76ffaf98bdfc96ada > commons-csv-1.13.0-bom.xml=01de7773c044f6b67416e64d037a54dbe23ae49c238a5a2d2545541519bfd9536f49eff5ea4b4612771545af63615631a3f6827865fcd2258247165bd196091f > commons-csv-1.13.0-javadoc.jar=57f3a60d12e6480989230d663fc9789a27a1be0133cea7b5ab04947eecbd15e241fdcde7448b1fe3a409c39a43ef365b92b4dc145b4f1e714eca1984db7afe7d > commons-csv-1.13.0-sources.jar=27aedde71ab0f0540c4d9b0828dd76e831bc84dda4bda5f5ea24e2c41ddb7cc5e0bf33a1acbe7c0f08b416915ce2ad08ecf4e75fb62a0be416e8ab99b4235c8b > commons-csv-1.13.0-src.tar.gz=139a40878b45027d2b7b481eb0ec51f829c155747b096b4acb639ee18acc2b4c994232d623cd2bdf84d8147ec96a4cf9b327567435f2806f0dc9680115ca9f1d > commons-csv-1.13.0-src.zip=011143339d9e71b8319226fa58befeac34fc4ef0d4a2a3c53edefe67f6a5bc6a957eba0c1711f92f5a546fd1cc323e1dcf1ab10b0b9bf303130555d38fc3c2df > commons-csv-1.13.0-test-sources.jar=8805e9761c808951f13ff9f5fdbd04d01128011c81e846ccc84afbd3593ddd538502c2716626db85e5ba93c90740cfe061de38cd322d5a32539c6c0e1b33f14e > commons-csv-1.13.0-tests.jar=ab0db37debd42bc8bfe164c7ff2c9d8767ad839b39207e7082aa09ce650b899871defe743dccc5bc83edaef6e74e12d09d927b0ae1580ccf581d88610044f7d3 > org.apache.commons_commons-csv-1.13.0.spdx.json=74c68940934a036ad9e9399c4cb818bf0075505c2736bbcee34b636916926f01cabe0c130184c30067c1a602483b54ce447de3953a12bf421f27eba8027930ae > > > I have tested this with 'mvn' and 'mvn -e -V -P release -P test-deploy > -P jacoco -P japicmp clean package site deploy' using: > > openjdk version "17.0.13" 2024-10-15 > OpenJDK Runtime Environment Homebrew (build 17.0.13+0) > OpenJDK 64-Bit Server VM Homebrew (build 17.0.13+0, mixed mode, sharing) > > Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) > Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec > Java version: 17.0.13, vendor: Homebrew, runtime: > /opt/homebrew/Cellar/openjdk@17/17.0.13/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "15.2", arch: "aarch64", family: "mac" > > Darwin ****.local 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 > 19:03:40 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6041 arm64 > Docker version 27.3.1, build ce12230 > > Details of changes since 1.12.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/index.html > (note some *relative* links are broken and the 1.13.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 1.12.0): > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 86fdc7e2a11262cb) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Clone and checkout the RC tag > > git clone https://gitbox.apache.org/repos/asf/commons-csv.git --branch > commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > cd commons-csv-1.13.0-RC1 > > 1b) Download and unpack the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/source > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page which > you then must check. > > mvn apache-rat:check > > 3) Check binary compatibility > > Older components still use Apache Clirr: > > This step is not required if the site includes a Clirr report page > which you then must check. > > mvn clirr:check > > Newer components use JApiCmp with the japicmp Maven Profile: > > This step is not required if the site includes a JApiCmp report page > which you then must check. > > mvn install -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
