[jira] [Commented] (JSPWIKI-1202) JSPWiki release contains wrong commons-fileupload-1.5.jar

Wed, 15 Jan 2025 04:46:08 -0800 


    [ 
https://issues.apache.org/jira/browse/JSPWIKI-1202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913299#comment-17913299
 ] 

Juan Pablo Santos Rodríguez commented on JSPWIKI-1202:
------------------------------------------------------

Hi [~hboutemy]! Apologies on the late response.

So, basically this means that the commons-fileupload file sitting in the 
{{.m2}} repo of the release manager of the last releases (probably me) is 
somehow borked, right? It would be a matter of simply deleting it from the 
local {{.m2}}. Or more generally, {{mvn dependency:purge-local-repository}} and 
all would be fine?

We aren't enforcing reproducible builds right now, other than fixing plugin 
versions, but I think it would be really nice to ensure it on a per-build 
basis. AIUI, this would entail launching the build on two separate nodes, and 
compare the checksums, am I right? Or is there anything like reproducible 
builds / per-build available? More importantly, how could this be avoided by 
the release manager next time we do a release? Having a borked jar on a local 
{{.m2}} would mean building twice would get the same checksums. This would have 
to be catched basically when voting, I assume?

thanks + best regards,

> JSPWiki release contains wrong commons-fileupload-1.5.jar
> ---------------------------------------------------------
>
>                 Key: JSPWIKI-1202
>                 URL: https://issues.apache.org/jira/browse/JSPWIKI-1202
>             Project: JSPWiki
>          Issue Type: Bug
>          Components: Build system
>    Affects Versions: 2.12.1, 2.12.2
>            Reporter: Herve Boutemy
>            Priority: Major
>
> when rebuilding JSPWiki releases, I found that commons-fileupload-1.5.jar 
> included in every .war file is different from the official one in Maven 
> Central 
> https://repo1.maven.org/maven2/commons-fileupload/commons-fileupload/1.5/commons-fileupload-1.5.jar
> for more details and rebuild instructions, see 
> https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/jspwiki/README.md



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to