Thank you for your review Alex, minor comments below. On Sun, Apr 19, 2026 at 9:22 AM Alex Herbert <[email protected]> wrote: > > Built from the source tar.gz archive on JDK 17 and 8: > > $ mvn # (default goal) > > Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) > Maven home: /Users/ah403/mvn/mvn > Java version: 17.0.17, vendor: Eclipse Adoptium, runtime: > /Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home > Default locale: en_GB, platform encoding: UTF-8 > OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" > > $ mvn clean verify site > > Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) > Maven home: /Users/ah403/mvn/mvn > Java version: 1.8.0_472, vendor: Temurin, runtime: > /Library/Java/JavaVirtualMachines/temurin-8.jdk/Contents/Home/jre > Default locale: en_GB, platform encoding: UTF-8 > OS name: "mac os x", version: "26.3.1", arch: "x86_64", family: "mac" > > Note: This runs 'prepare-checkout' which downloads the current site using > svn. This is useful for release managers to update the site by copying > target/site to site-contents. It is not useful for a consumer of the source > who would like to locally build the site. I think this should be run via an > opt in profile.
Right, this is likely a remnant of how some component releases used to work. I'm not sure if this is still required by any of our 2 Maven plugins. > > The rat report has 43 unapproved files. This is the same issue seen with > the rat report in recent releases of commons RNG and Numbers using commons > parent 98. The parent did not duplicate the excludes configuration between > build (where it works) and reporting (where it does not exclude project > appended excludes). This might get fixed with a new release of commons-parent that now uses the non-deprecated exclusion tags. I'll do that next. > > japicmp looks OK. New API has correct spelling/grammar. > > Note: There is a @since 2.13.0 in the javadoc for the > new FlushShieldOutputStream.Builder. All other new API have the correct > @since 2.22.0 tag. Fixed in git master. > > Spotbugs clean. > > Jira report is OK. There are many tickets not associated with a version and > these go to the top of the report. Some are very old and still not closed > although they are resolved. I think a bulk close of tickets with a tag > would have missed closing them. > > Check reproducibility: does not work for me: The reproducibility workflow is best debugged by Piotr. TY! Gary > > mvn clean verify artifact:compare -DskipTests -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > [INFO] Reference build java.version: 21 (from MANIFEST.MF Build-Jdk-Spec) > [ERROR] Current build java.version: 1.8 (from MANIFEST.MF Build-Jdk-Spec) > [INFO] Reference build os.name: Unix (from pom.properties newline) > [INFO] Minimal buildinfo generated from downloaded artifacts: > /private/tmp/commons-io-2.22.0-src/target/reference/commons-io-2.22.0.buildinfo > [ERROR] size mismatch commons-io-2.22.0.jar: investigate with diffoscope > target/reference/commons-io/commons-io-2.22.0.jar > target/commons-io-2.22.0.jar > [ERROR] size mismatch commons-io-2.22.0-tests.jar: investigate with > diffoscope target/reference/commons-io/commons-io-2.22.0-tests.jar > target/commons-io-2.22.0-tests.jar > [ERROR] size mismatch commons-io-2.22.0-sources.jar: investigate with > diffoscope target/reference/commons-io/commons-io-2.22.0-sources.jar > target/commons-io-2.22.0-sources.jar > [ERROR] size mismatch commons-io-2.22.0-test-sources.jar: investigate with > diffoscope target/reference/commons-io/commons-io-2.22.0-test-sources.jar > target/commons-io-2.22.0-test-sources.jar > [ERROR] size mismatch commons-io-2.22.0-cyclonedx.xml: investigate with > diffoscope target/reference/commons-io/commons-io-2.22.0-cyclonedx.xml > target/commons-io-2.22.0-bom.xml > [ERROR] size mismatch commons-io-2.22.0-cyclonedx.json: investigate with > diffoscope target/reference/commons-io/commons-io-2.22.0-cyclonedx.json > target/commons-io-2.22.0-bom.json > [ERROR] [Reproducible Builds] rebuild comparison result: 1 files match, 6 > differ, 1 ignored > [ERROR] saved to > target/commons-io-2.22.0.buildcompare > [ERROR] [Reproducible Builds] to analyze the differences, see diffoscope > instructions in target/commons-io-2.22.0.buildcompare > [ERROR] see also > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > Note sure what is wrong here. The diffoscope command shows a big > difference. Obviously my JDK 8 build does not match the JDK 21 build. > Switch to JDK 21: > > Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) > Maven home: /Users/ah403/mvn/mvn > Java version: 21.0.9, vendor: Eclipse Adoptium, runtime: > /Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home > Default locale: en_GB, platform encoding: UTF-8 > OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" > > Here I get a better match but it still errors: > > [INFO] --- artifact:3.6.1:compare (default-cli) @ commons-io --- > [INFO] Saved info on build to > /private/tmp/commons-io-2.22.0-src/target/commons-io-2.22.0.buildinfo > [INFO] Checking against reference build from > https://repository.apache.org/content/repositories/staging/... > [INFO] Reference buildinfo file not found: it will be generated from > downloaded reference artifacts > [INFO] Reference build java.version: 21 (from MANIFEST.MF Build-Jdk-Spec) > [INFO] Reference build os.name: Unix (from pom.properties newline) > [INFO] Minimal buildinfo generated from downloaded artifacts: > /private/tmp/commons-io-2.22.0-src/target/reference/commons-io-2.22.0.buildinfo > [ERROR] sha512 mismatch commons-io-2.22.0.jar: investigate with diffoscope > target/reference/commons-io/commons-io-2.22.0.jar > target/commons-io-2.22.0.jar > [ERROR] [Reproducible Builds] rebuild comparison result: 6 files match, 1 > differ, 1 ignored > [ERROR] saved to > target/commons-io-2.22.0.buildcompare > [ERROR] [Reproducible Builds] to analyze the differences, see diffoscope > instructions in target/commons-io-2.22.0.buildcompare > [ERROR] see also > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > The diffoscope is always for a character mismatch between '\' and 'd' so it > could be a platform encoding issue. E.g. > > $ diffoscope target/reference/commons-io/commons-io-2.22.0.jar > target/commons-io-2.22.0.jar > > --- target/reference/commons-io/commons-io-2.22.0.jar > +++ target/commons-io-2.22.0.jar > │┄ Command `'zipdetails --redact --utc {}'` failed with exit code 255. > Standard output: > │┄ Unknown option: redact > │┄ Unknown option: utc > │┄ Invalid command line option > │┄ > │┄ > │┄ zipdetails [OPTIONS] file > │┄ > │┄ Display details about the internal structure of a Zip file. > │┄ > │┄ This is zipdetails version 2.02 [...] > │┄ Archive contents identical but files differ, possibly due to different > compression levels. Falling back to binary comparison. > @@ -1,12 +1,12 @@ > -00000000: 504b 0304 1400 0808 0800 eb5c 935c 0000 PK.........\.\.. > +00000000: 504b 0304 1400 0808 0800 eb64 935c 0000 PK.........d.\.. > 00000010: 0000 0000 0000 0000 0000 0900 0400 4d45 ..............ME > 00000020: 5441 2d49 4e46 2ffe ca00 0003 0050 4b07 TA-INF/......PK. > 00000030: 0800 0000 0002 0000 0000 0000 0050 4b03 .............PK. > -00000040: 0414 0008 0808 00eb 5c93 5c00 0000 0000 ........\.\..... > +00000040: 0414 0008 0808 00eb 6493 5c00 0000 0000 ........d.\..... > 00000050: 0000 0000 0000 0014 0000 004d 4554 412d ...........META- > > I am not sure this really matters. > > +1: Release these artifacts > > Alex > > > On Sun, 19 Apr 2026 at 13:13, Gary Gregory <[email protected]> wrote: > > > We have fixed a few bugs and added enhancements since the release of > > Apache Commons IO 2.21.0, so I would like to release Apache Commons IO > > 2.22.0. > > > > Apache Commons IO 2.22.0 RC2 is available for review here: > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2 (svn > > revision 83912) > > > > The Git tag commons-io-2.22.0-RC2 commit for this RC is > > c14acc16f73e44a75b2062b17aacb26c4feda746, which you can browse here: > > > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=c14acc16f73e44a75b2062b17aacb26c4feda746 > > You may checkout this tag using: > > git clone https://gitbox.apache.org/repos/asf/commons-io.git > > --branch commons-io-2.22.0-RC2 commons-io-2.22.0-RC2 > > > > Maven artifacts are here: > > > > https://repository.apache.org/content/repositories/orgapachecommons-1930/commons-io/commons-io/2.22.0/ > > > > These are the artifacts and their hashes: > > > > #Release SHA-512s > > #Sun Apr 19 12:01:22 UTC 2026 > > > > commons-io-2.22.0-bin.tar.gz=aa8184f097ee9d43b2fbe56a82ca1ed3f0f4c153687cc18c4d218601948270a92a69c36224317db236715064946a3799727de5c3e57c536ddbaf61a98d84c737 > > > > commons-io-2.22.0-bin.zip=08e0da663c61cf01f56af3310cc9999c94d96f431e6025e25f83c666e7a1ff0278cf35b5eade2ef0c12f4621c9de0eaa2fbf8ae3d83ce6c7dee4f763d5545edd > > > > commons-io-2.22.0-bom.json=4c60288b55646b10477366adf7cf377851138c74b03aee6a9271759ef98612067a6a9b599e04875ff598e69099f0c1ed59f3e9d27942e6dda71f933830038156 > > > > commons-io-2.22.0-bom.xml=15d218ec2ce3f5a7f8617b018b7b8ba72326d42da6b43802bdc6c204ed14ce33ae86643cf12e42fb2e5f36c9723b739f27f0e3634ccb1cbd8055045384763e5b > > > > commons-io-2.22.0-javadoc.jar=f4b107e3e3f3a506687f43b32dead2d47ba86f9f1890255cd1d2f3b6282768153b929e14c0304e6c5cfc84c35f44e0d4ba6e35ec757d13dd7e49bf7d43f7d287 > > > > commons-io-2.22.0-sources.jar=8efd430402f1efc21c9bb14e6189941f5edd4bab71e2426717d67a6957aa4f857394c9214887606a21cc7fb08c102d919bd194bfeafa6396a2ebce62336e28ed > > > > commons-io-2.22.0-src.tar.gz=75029377b023180f518f2a4fd3079bb032f0975a9a1826a332e08c615a5f7ed55e4332f7d9964962bdef36aa42e36642dd36f877a9760a266aad2fd003a762fb > > > > commons-io-2.22.0-src.zip=5a6db8e897e55e923ae6d24ea6b0aa8c264dd85fdc0aafa2885c480b0b1444d8e801f9c4e308973e16ef62bc0bb8bd91431bc8716b36be0756f01de4dbe96649 > > > > commons-io-2.22.0-test-sources.jar=f3b7f3a65dbac653c0abadfae99284cf8e2f96eb91497b1dfbe966b8cf81837405e89656da531a188bae43b557effd41b10ff577f43d27f5a42d201c57fe33c7 > > > > commons-io-2.22.0-tests.jar=569dbc8c43ea079bf197a2f5f80564121da51670e1233f333567968863ee5fd16689b9e7e88e235d9621d4b81ead6bd122600be6352c03394db990eee83f261e > > > > commons-io_commons-io-2.22.0.spdx.json=7de9362d3ac4b055889f571eef6ff77dc6fc7efbf855c2c680052728c6adf1be1f5bba208c13db8d5ab52b4e06a8ef2e03dcab576302644183dffe6f83f7764b > > > > > > > > I have tested this with 'mvn' and 'mvn clean install site' using: > > > > openjdk version "21.0.10" 2026-01-20 > > OpenJDK Runtime Environment Homebrew (build 21.0.10) > > OpenJDK 64-Bit Server VM Homebrew (build 21.0.10, mixed mode, sharing) > > > > Apache Maven 3.9.15 (98b2cdbfdb5f1ac8781f537ea9acccaed7922349) > > Maven home: /opt/homebrew/Cellar/maven/3.9.15/libexec > > Java version: 21.0.10, vendor: Homebrew, runtime: > > /opt/homebrew/Cellar/openjdk@21/21.0.10/libexec/openjdk.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "26.4.1", arch: "aarch64", family: "mac" > > > > Darwin ****.local 25.4.0 Darwin Kernel Version 25.4.0: Thu Mar 19 > > 19:33:25 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T6041 arm64 > > > > Docker version 29.4.0, build 9d7ad9f > > > > > > Details of changes since 2.21.0 are in the release notes: > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/RELEASE-NOTES.txt > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/changes.html > > > > Site: > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/index.html > > (Note some *relative* links are broken and the 2.22.0 directories > > are not yet created - these will be OK once the site is deployed.) > > > > JApiCmp Report (compared to 2.21.0): > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/japicmp.html > > > > RAT Report: > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/rat-report.html > > > > KEYS: > > https://downloads.apache.org/commons/KEYS > > > > Please review the release candidate and vote. > > This vote will close no sooner than 72 hours from now. > > > > [ ] +1 Release these artifacts > > [ ] +0 OK, but... > > [ ] -0 OK, but really should fix... > > [ ] -1 I oppose this release because... > > > > Thank you, > > > > Gary Gregory, > > Release Manager (using key 530AA5F25C25011F) > > > > The following is intended as a helper and refresher for reviewers. > > > > Validating a release candidate > > ============================== > > > > These guidelines are NOT complete. > > > > Requirements: Git, Java, and Maven. > > > > You can validate a release from a release candidate (RC) tag as follows. > > > > 1a) Download and decompress the source archive from: > > > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/source > > > > 1b) Check out the RC tag from git (optional) > > > > This is optional, as a reviewer must at least check source distributions. > > > > git clone https://gitbox.apache.org/repos/asf/commons-io.git --branch > > commons-io-2.22.0-RC2 commons-io-2.22.0-RC2 > > cd commons-io-2.22.0-RC2 > > > > 2) Checking the build > > > > All components should include a default Maven goal, such that you can > > run 'mvn' from the command line by itself. > > > > 2) Check Apache licenses > > > > This step is not required if the site includes a RAT report page, > > which you then must check. > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn apache-rat:check > > > > 3) Check binary compatibility > > > > This step is not required if the site includes a JApiCmp report page, > > which you then must check. > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn verify -DskipTests -P japicmp japicmp:cmp > > > > 4) Build the package > > > > This check should be included in the default Maven build, but you can > > check it with: > > > > mvn -V clean package > > > > You can record the Maven and Java version produced by -V in your VOTE > > reply. > > To gather OS information from a command line: > > Windows: ver > > Linux: uname -a > > > > 4b) Check reproducibility > > > > To check that a build is reproducible, run: > > > > mvn clean verify artifact:compare -DskipTests > > -Dreference.repo= > > https://repository.apache.org/content/repositories/staging/ > > '-Dbuildinfo.ignore=*/*.spdx.json' > > > > Note that this excludes SPDX files from the check. > > > > 5) Build the site for a single module project > > > > Note: Some plugins require the components to be installed instead of > > packaged. > > > > mvn site > > Check the site reports in: > > - Windows: target\site\index.html > > - Linux: target/site/index.html > > > > -the end- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
