On Fri, Jan 10, 2025 at 6:36 PM Herve Boutemy <hbout...@apache.org> wrote: > > > > On 2025/01/10 01:32:55 Gary Gregory wrote: > > On Thu, Jan 9, 2025 at 6:05 PM Herve Boutemy <hbout...@apache.org> wrote: > > > > > > -0 > > > > > > as I feared, same issue as Commons Release Plugin 1.9.0 RC1: wrong > > > component hash in SBOM (in this case, it's one dependency: commons-codec) > > > > > > When I read > > > > Built using: mvn clean install site -s "$HOME/.m2/commons-settings.xml" > > > > > > install should seriously be avoided when voting, but verify or package > > > > > > And with > > > mvn clean verify site -s "$HOME/.m2/commons-settings.xml" > > > artifact:compare > > > -Dreference.repo=https://repository.apache.org/content/repositories/staging/ > > > > > > > But that's not what Maven documents here: > > > > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > > > That page explicitly calls for using "install". > > that page says that you check a second build done with verify against a first > build: the first build may be a local build with install. But in the case of > a vote against a staged release, the first build is in the staged repository > = what > -Dreference.repo=https://repository.apache.org/content/repositories/staging/ > references > > > > > So... should the Maven docs be updated? > > I reworked this page so many times to make it simple: if you find a simple > way to improve, I'm eager to learn how
OK, I'll experiment and comment in a new thread. Gary > > Regards, > > Hervé > > > > > Gary > > > > > any voter can get his own check that staging content matches his own > > > rebuild output > > > > > > Regards, > > > > > > Hervé > > > > > > On 2025/01/08 14:01:28 Gary Gregory wrote: > > > > We have fixed a few bugs and added enhancements since Apache Commons > > > > CSV 1.12.0 was released, so I would like to release Apache Commons CSV > > > > 1.13.0. > > > > > > > > Apache Commons CSV 1.13.0 RC1 is available for review here: > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1 (svn > > > > revision 74044) > > > > > > > > The Git tag commons-csv-1.13.0-RC1 commit for this RC is > > > > f2f1cffe53cde4b36623403bdc27855cec01fac2 which you can browse here: > > > > > > > > https://gitbox.apache.org/repos/asf?p=commons-csv.git;a=commit;h=f2f1cffe53cde4b36623403bdc27855cec01fac2 > > > > You may checkout this tag using: > > > > git clone https://gitbox.apache.org/repos/asf/commons-csv.git > > > > --branch commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > > > > > > > > Maven artifacts are here: > > > > > > > > https://repository.apache.org/content/repositories/orgapachecommons-1802/org/apache/commons/commons-csv/1.13.0/ > > > > > > > > These are the artifacts and their hashes: > > > > > > > > #Release SHA-512s > > > > #Wed Jan 08 13:52:37 UTC 2025 > > > > commons-csv-1.13.0-bin.tar.gz=9928ba4d53401bd4010f8267cbb1ecc72bd601b002e3cf7d084a7f1378c7476cf669e54bd36655062dbd7aa9df445c893af7d04426b46c4c097634a30cc0cca2 > > > > commons-csv-1.13.0-bin.zip=95564889cddfb7282f435eabceb22eb566507565d385da6f3f63ff822121b63b868bee71ad856227e88704c3832f195730dfd2aa222e04182fb185bc2e9c9e4f > > > > commons-csv-1.13.0-bom.json=82851bffc898f281f3db36be064988b4c28cc9fc50514f4c5aa16bbbce531e177bb27b39e1828903ecdd5efa2cfa9959f8828b0335c913b76ffaf98bdfc96ada > > > > commons-csv-1.13.0-bom.xml=01de7773c044f6b67416e64d037a54dbe23ae49c238a5a2d2545541519bfd9536f49eff5ea4b4612771545af63615631a3f6827865fcd2258247165bd196091f > > > > commons-csv-1.13.0-javadoc.jar=57f3a60d12e6480989230d663fc9789a27a1be0133cea7b5ab04947eecbd15e241fdcde7448b1fe3a409c39a43ef365b92b4dc145b4f1e714eca1984db7afe7d > > > > commons-csv-1.13.0-sources.jar=27aedde71ab0f0540c4d9b0828dd76e831bc84dda4bda5f5ea24e2c41ddb7cc5e0bf33a1acbe7c0f08b416915ce2ad08ecf4e75fb62a0be416e8ab99b4235c8b > > > > commons-csv-1.13.0-src.tar.gz=139a40878b45027d2b7b481eb0ec51f829c155747b096b4acb639ee18acc2b4c994232d623cd2bdf84d8147ec96a4cf9b327567435f2806f0dc9680115ca9f1d > > > > commons-csv-1.13.0-src.zip=011143339d9e71b8319226fa58befeac34fc4ef0d4a2a3c53edefe67f6a5bc6a957eba0c1711f92f5a546fd1cc323e1dcf1ab10b0b9bf303130555d38fc3c2df > > > > commons-csv-1.13.0-test-sources.jar=8805e9761c808951f13ff9f5fdbd04d01128011c81e846ccc84afbd3593ddd538502c2716626db85e5ba93c90740cfe061de38cd322d5a32539c6c0e1b33f14e > > > > commons-csv-1.13.0-tests.jar=ab0db37debd42bc8bfe164c7ff2c9d8767ad839b39207e7082aa09ce650b899871defe743dccc5bc83edaef6e74e12d09d927b0ae1580ccf581d88610044f7d3 > > > > org.apache.commons_commons-csv-1.13.0.spdx.json=74c68940934a036ad9e9399c4cb818bf0075505c2736bbcee34b636916926f01cabe0c130184c30067c1a602483b54ce447de3953a12bf421f27eba8027930ae > > > > > > > > > > > > I have tested this with 'mvn' and 'mvn -e -V -P release -P test-deploy > > > > -P jacoco -P japicmp clean package site deploy' using: > > > > > > > > openjdk version "17.0.13" 2024-10-15 > > > > OpenJDK Runtime Environment Homebrew (build 17.0.13+0) > > > > OpenJDK 64-Bit Server VM Homebrew (build 17.0.13+0, mixed mode, sharing) > > > > > > > > Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937) > > > > Maven home: /opt/homebrew/Cellar/maven/3.9.9/libexec > > > > Java version: 17.0.13, vendor: Homebrew, runtime: > > > > /opt/homebrew/Cellar/openjdk@17/17.0.13/libexec/openjdk.jdk/Contents/Home > > > > Default locale: en_US, platform encoding: UTF-8 > > > > OS name: "mac os x", version: "15.2", arch: "aarch64", family: "mac" > > > > > > > > Darwin ****.local 24.2.0 Darwin Kernel Version 24.2.0: Fri Dec 6 > > > > 19:03:40 PST 2024; root:xnu-11215.61.5~2/RELEASE_ARM64_T6041 arm64 > > > > Docker version 27.3.1, build ce12230 > > > > > > > > Details of changes since 1.12.0 are in the release notes: > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/RELEASE-NOTES.txt > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/changes.html > > > > > > > > Site: > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/index.html > > > > (note some *relative* links are broken and the 1.13.0 directories > > > > are not yet created - these will be OK once the site is deployed.) > > > > > > > > JApiCmp Report (compared to 1.12.0): > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/japicmp.html > > > > > > > > RAT Report: > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/site/rat-report.html > > > > > > > > KEYS: > > > > https://downloads.apache.org/commons/KEYS > > > > > > > > Please review the release candidate and vote. > > > > This vote will close no sooner than 72 hours from now. > > > > > > > > [ ] +1 Release these artifacts > > > > [ ] +0 OK, but... > > > > [ ] -0 OK, but really should fix... > > > > [ ] -1 I oppose this release because... > > > > > > > > Thank you, > > > > > > > > Gary Gregory, > > > > Release Manager (using key 86fdc7e2a11262cb) > > > > > > > > The following is intended as a helper and refresher for reviewers. > > > > > > > > Validating a release candidate > > > > ============================== > > > > > > > > These guidelines are NOT complete. > > > > > > > > Requirements: Git, Java, Maven. > > > > > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > > > > > 1a) Clone and checkout the RC tag > > > > > > > > git clone https://gitbox.apache.org/repos/asf/commons-csv.git --branch > > > > commons-csv-1.13.0-RC1 commons-csv-1.13.0-RC1 > > > > cd commons-csv-1.13.0-RC1 > > > > > > > > 1b) Download and unpack the source archive from: > > > > > > > > https://dist.apache.org/repos/dist/dev/commons/csv/1.13.0-RC1/source > > > > > > > > 2) Check Apache licenses > > > > > > > > This step is not required if the site includes a RAT report page which > > > > you then must check. > > > > > > > > mvn apache-rat:check > > > > > > > > 3) Check binary compatibility > > > > > > > > Older components still use Apache Clirr: > > > > > > > > This step is not required if the site includes a Clirr report page > > > > which you then must check. > > > > > > > > mvn clirr:check > > > > > > > > Newer components use JApiCmp with the japicmp Maven Profile: > > > > > > > > This step is not required if the site includes a JApiCmp report page > > > > which you then must check. > > > > > > > > mvn install -DskipTests -P japicmp japicmp:cmp > > > > > > > > 4) Build the package > > > > > > > > mvn -V clean package > > > > > > > > You can record the Maven and Java version produced by -V in your VOTE > > > > reply. > > > > To gather OS information from a command line: > > > > Windows: ver > > > > Linux: uname -a > > > > > > > > 5) Build the site for a single module project > > > > > > > > Note: Some plugins require the components to be installed instead of > > > > packaged. > > > > > > > > mvn site > > > > Check the site reports in: > > > > - Windows: target\site\index.html > > > > - Linux: target/site/index.html > > > > > > > > -the end- > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
