Hi Gary,
On 11.01.2025 15:59, Gary Gregory wrote:
In a vote thread, Herve wrote:
"
install should seriously be avoided when voting, but verify or package
And with
mvn clean verify site -s "$HOME/.m2/commons-settings.xml"
artifact:compare
-Dreference.repo=https://repository.apache.org/content/repositories/staging/
any voter can get his own check that staging content matches his own
rebuild output
"
Does this mean that you must deploy to Nexus in order to run artifact:compare ?
Is there a way to test locally only?
Not necessarily. The Maven Artifact plugin uses the usual resolution
mechanism to download the artifact from the remote reference repo:
before making the HTTP request it checks the local Maven repo/cache.
If you want to verify if the build is reproducible on your machine, you
can run:
1) mvn clean install
2) mvn clean verify artifact:compare
This will compare the artifact created in 1, with the one created in 2.
However, nowadays this check is IMHO useless. The check will fail if the
Maven plugins you are using don't have reproducible results. Except the
SPDX Maven plugin, most Maven plugins are deterministic (or can be if
you configure them correctly: e.g., you always need to set
`project.build.outputTimestamp`). The check will NOT fail if your build
environment is corrupted.
A better test for reproducibility is to deploy to Nexus and verify
reproducibility on a **different** machine. This is what I usually do to
verify Log4j releases:
1) Log4j is deployed to Nexus from a GitHub action.
2) On my local machine I run `mvn clean verify artifact:compare` as any
other PMC member before sending the release vote.
You can also configure GH actions to run a reproducibility test
automatically after a deployment: I have a GH action ready[1] to use in
Log4j, we can probably adapt it for Commons too.
Piotr
PS: In Log4j we struggled a little bit to retrieve the URL of the
staging repo[2]. We didn't know about
`https://repository.apache.org/content/repositories/staging/`.
[1]
https://github.com/apache/logging-parent/blob/main/.github/workflows/verify-reproducibility-reusable.yaml
[2] https://github.com/apache/logging-parent/pull/246
