Piotr, Is there at least a bug to report to the SPDX project?
Gary On Sun, Jan 12, 2025 at 11:03 AM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > > Hi Gary, > > On 12.01.2025 13:40, Gary Gregory wrote: > > [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with > > diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json > > target/site/commons-cli_commons-cli-1.10.0.spdx.json > > [ERROR] Reproducible Build output summary: 7 files ok, 1 different > > These are the important lines of the error message. The SPDX artifacts > differ. AFAIK this is normal, since the `spdx-maven-plugin` has unsolved > reproducibility problems. Hervé can probably tell you more about the > status of this plugin. > > You can probably run: > > mvn clean verify artifact:compare -Dreference.repo=... > '-Dbuildinfo.ignore=*/*.spdx.json' > > to ignore the failures on SPDX. > > > [ERROR] see diff target/reference/commons-cli-1.10.0.buildinfo > > target/commons-cli-1.10.0.buildinfo > > [ERROR] see also > > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > I am tempted to report this as a bug in the Maven Artifact Plugin: > unless you use different Java versions or OSes (Windows vs UNIX), the > differences in the `*.buildinfo` files are not really relevant. It is > more important to check the differences in the artifacts printed above. > > Unfortunately, since this message is near the end of the error, many > people just diff the `*.buildinfo` files. > > Piotr > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
