So, I built a release candidate for Apache Commons CSV but did not call a vote. Tell me (Piotr, Herve, ...) if I get this right:
I downloaded https://dist.apache.org/repos/dist/dev/commons/cli/1.10.0-RC1/source/commons-cli-1.10.0-src.zip and: cd ~/rc unzip commons-cli-1.10.0-src.zip cd commons-cli-1.10.0-src mvn clean verify artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ That failed because SPDX is not playing nice? [INFO] --- artifact:3.5.3:compare (default-cli) @ commons-cli --- [INFO] Saved info on build to /Users/garygregory/rc/commons-cli-1.10.0-src/target/commons-cli-1.10.0.buildinfo [INFO] Checking against reference build from https://repository.apache.org/content/repositories/staging/... Downloading from reference: https://repository.apache.org/content/repositories/staging/commons-cli/commons-cli/1.10.0/commons-cli-1.10.0.buildinfo [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /Users/garygregory/rc/commons-cli-1.10.0-src/target/reference/commons-cli-1.10.0.buildinfo [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json target/site/commons-cli_commons-cli-1.10.0.spdx.json [ERROR] Reproducible Build output summary: 7 files ok, 1 different [ERROR] see diff target/reference/commons-cli-1.10.0.buildinfo target/commons-cli-1.10.0.buildinfo [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html [INFO] Reproducible Build output comparison saved to /Users/garygregory/rc/commons-cli-1.10.0-src/target/commons-cli-1.10.0.buildcompare [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ diff target/reference/commons-cli-1.10.0.buildinfo target/commons-cli-1.10.0.buildinfo 0a1,15 > # https://reproducible-builds.org/docs/jvm/ > buildinfo.version=1.0-SNAPSHOT > > name=Apache Commons CLI > group-id=commons-cli > artifact-id=commons-cli > version=1.10.0 > > # source information > source.scm.uri=scm:git:https://gitbox.apache.org/repos/asf/commons-cli.git > source.scm.tag=HEAD > > # build instructions > build-tool=mvn > 2,3c17,19 < java.version=17 (from MANIFEST.MF Build-Jdk-Spec) < os.name=Unix (from pom.properties newline) --- > java.version=17.0.13 > java.vendor=Homebrew > os.name=Mac OS X 4a21,25 > # Maven rebuild instructions and effective environment > mvn.version=3.9.9 > > # output > 43c64 < outputs.7.checksums.sha512=63fbd4ddc6dc0cd50c14c2aa0981633403b0780b00375e42ecc9393e1958d02b94c159fc0ea7974b33453bd439409b0d88dfe8d90dfc878535b65031d688882f --- > outputs.7.checksums.sha512=18f85f341b3744257acbec512f1ab68d3c5e34eb5bfbd93722f93b022690fb518f7dd27ad231d24a4abc60a8386ac6304be2992a8b306aab6222c425aaa658a0 What does that even mean and what am I supposed to do about it? Help needed ;-) Gary On Sat, Jan 11, 2025 at 12:14 PM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > > Hi Gary, > > On 11.01.2025 15:59, Gary Gregory wrote: > > In a vote thread, Herve wrote: > > > > " > > install should seriously be avoided when voting, but verify or package > > > > And with > > mvn clean verify site -s "$HOME/.m2/commons-settings.xml" > > artifact:compare > > -Dreference.repo=https://repository.apache.org/content/repositories/staging/ > > > > any voter can get his own check that staging content matches his own > > rebuild output > > " > > > > Does this mean that you must deploy to Nexus in order to run > > artifact:compare ? > > Is there a way to test locally only? > > Not necessarily. The Maven Artifact plugin uses the usual resolution > mechanism to download the artifact from the remote reference repo: > before making the HTTP request it checks the local Maven repo/cache. > > If you want to verify if the build is reproducible on your machine, you > can run: > > 1) mvn clean install > > 2) mvn clean verify artifact:compare > > This will compare the artifact created in 1, with the one created in 2. > However, nowadays this check is IMHO useless. The check will fail if the > Maven plugins you are using don't have reproducible results. Except the > SPDX Maven plugin, most Maven plugins are deterministic (or can be if > you configure them correctly: e.g., you always need to set > `project.build.outputTimestamp`). The check will NOT fail if your build > environment is corrupted. > > A better test for reproducibility is to deploy to Nexus and verify > reproducibility on a **different** machine. This is what I usually do to > verify Log4j releases: > > 1) Log4j is deployed to Nexus from a GitHub action. > > 2) On my local machine I run `mvn clean verify artifact:compare` as any > other PMC member before sending the release vote. > > You can also configure GH actions to run a reproducibility test > automatically after a deployment: I have a GH action ready[1] to use in > Log4j, we can probably adapt it for Commons too. > > Piotr > > PS: In Log4j we struggled a little bit to retrieve the URL of the > staging repo[2]. We didn't know about > `https://repository.apache.org/content/repositories/staging/`. > > [1] > https://github.com/apache/logging-parent/blob/main/.github/workflows/verify-reproducibility-reusable.yaml > > [2] https://github.com/apache/logging-parent/pull/246 > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
