Hi Gary,
On 12.01.2025 13:40, Gary Gregory wrote:
[ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with
diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json
target/site/commons-cli_commons-cli-1.10.0.spdx.json
[ERROR] Reproducible Build output summary: 7 files ok, 1 different
These are the important lines of the error message. The SPDX artifacts
differ. AFAIK this is normal, since the `spdx-maven-plugin` has unsolved
reproducibility problems. Hervé can probably tell you more about the
status of this plugin.
You can probably run:
mvn clean verify artifact:compare -Dreference.repo=...
'-Dbuildinfo.ignore=*/*.spdx.json'
to ignore the failures on SPDX.
[ERROR] see diff target/reference/commons-cli-1.10.0.buildinfo
target/commons-cli-1.10.0.buildinfo
[ERROR] see also
https://maven.apache.org/guides/mini/guide-reproducible-builds.html
I am tempted to report this as a bug in the Maven Artifact Plugin:
unless you use different Java versions or OSes (Windows vs UNIX), the
differences in the `*.buildinfo` files are not really relevant. It is
more important to check the differences in the artifacts printed above.
Unfortunately, since this message is near the end of the error, many
people just diff the `*.buildinfo` files.
Piotr
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org
For additional commands, e-mail: dev-h...@commons.apache.org
