On Fri, Jan 10, 2025 at 3:40 AM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > > Hi, > > On 10.01.2025 00:04, Herve Boutemy wrote: > > -0 > > > > as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong > > component hash in SBOM (in this case, it's one dependency: commons-codec) > > -0 > > Same problem: the SBOMs are not reproducible. > > I also wonder if we really need to publish the `test.jar` and > `test-sources.jar`. I don't believe these are useful for users and they > contain a 30 MiB test CSV file.
Hi Piotr and all, In general publishing test jars is important IMO because some other components and users (like me) use some test jars for their non-production utility code. I would not want to have to create special exclusions on a per-component basis, making POMs or a release process even more complex than it already is. TY, Gary > > Piotr > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
