it would be more a feature request = "build SPDX output in a reproducible way"
for now, I generally ignore SPDX output when checking rebuild output: I do not have time to contribute more to spdx-maven-plugin Regards, Hervé On 2025/01/24 13:19:53 Gary Gregory wrote: > Piotr, > > Is there at least a bug to report to the SPDX project? > > Gary > > On Sun, Jan 12, 2025 at 11:03 AM Piotr P. Karwasz > <pi...@mailing.copernik.eu> wrote: > > > > Hi Gary, > > > > On 12.01.2025 13:40, Gary Gregory wrote: > > > [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with > > > diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json > > > target/site/commons-cli_commons-cli-1.10.0.spdx.json > > > [ERROR] Reproducible Build output summary: 7 files ok, 1 different > > > > These are the important lines of the error message. The SPDX artifacts > > differ. AFAIK this is normal, since the `spdx-maven-plugin` has unsolved > > reproducibility problems. Hervé can probably tell you more about the > > status of this plugin. > > > > You can probably run: > > > > mvn clean verify artifact:compare -Dreference.repo=... > > '-Dbuildinfo.ignore=*/*.spdx.json' > > > > to ignore the failures on SPDX. > > > > > [ERROR] see diff target/reference/commons-cli-1.10.0.buildinfo > > > target/commons-cli-1.10.0.buildinfo > > > [ERROR] see also > > > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > > > I am tempted to report this as a bug in the Maven Artifact Plugin: > > unless you use different Java versions or OSes (Windows vs UNIX), the > > differences in the `*.buildinfo` files are not really relevant. It is > > more important to check the differences in the artifacts printed above. > > > > Unfortunately, since this message is near the end of the error, many > > people just diff the `*.buildinfo` files. > > > > Piotr > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
