[
https://issues.apache.org/jira/browse/JSPWIKI-1202?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17913855#comment-17913855
]
Herve Boutemy commented on JSPWIKI-1202:
----------------------------------------
> So, basically this means that the commons-fileupload file sitting in the .m2
> repo of the release manager of the last releases (probably me) is somehow
> borked, right? It would be a matter of simply deleting it from the local .m2.
> Or more generally, mvn dependency:purge-local-repository and all would be
> fine?
yes
> More importantly, how could this be avoided by the release manager next time
> we do a release?
apart from knowing about this type of issues and solutions = what I'm doing
currently by explaining to those who have been hit by the issue
the solution IMHO is not only in the hand of the release manager, who may do
mistakes (that's usual life): key solution to me is at project team level
during vote: when voting, project team do a local rebuild
if voters were comparing their build result with the content being voted, they
could discover if anything wrong is happening
for project members, who know how to build, this is about replacing "mvn
package" or "mvn verify" by "mvn verify artifact:compare
-Dreference.repo=https://repository.apache.org/content/repositories/staging/";
and also know you should refrain from "mvn install" during votes on release
candidates: install should be used for SNAPSHOTs only
> Isn't it enough for a reproducible build to have all dependencies' and all
> plugins' versions specified?
the build itself is reproducible: it's the local environment that contains
"wrong" dependencies
> shouldn't a broken jar in the local reposity be caught by the .jar.sha and be
> fixed by mvn -U ?
I fear that the "mvn install" that created the bad data ceated the sha sum at
the same time: content is consistent locally, inconsistent only against remote
"official" content
> JSPWiki release contains wrong commons-fileupload-1.5.jar
> ---------------------------------------------------------
>
> Key: JSPWIKI-1202
> URL: https://issues.apache.org/jira/browse/JSPWIKI-1202
> Project: JSPWiki
> Issue Type: Bug
> Components: Build system
> Affects Versions: 2.12.1, 2.12.2
> Reporter: Herve Boutemy
> Priority: Major
>
> when rebuilding JSPWiki releases, I found that commons-fileupload-1.5.jar
> included in every .war file is different from the official one in Maven
> Central
> https://repo1.maven.org/maven2/commons-fileupload/commons-fileupload/1.5/commons-fileupload-1.5.jar
> for more details and rebuild instructions, see
> https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/jspwiki/README.md
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
