if you rebuilt with artifact:compare, you have the diffoscope command printed, that you can use with basic diff given it's a simple text file in the current case:
❯ diffoscope target/reference/org.apache.maven.surefire/surefire-3.5.2-cyclonedx.xml target/bom.xml --- target/reference/org.apache.maven.surefire/surefire-3.5.2-cyclonedx.xml +++ target/bom.xml │ --- target/reference/org.apache.maven.surefire/surefire-3.5.2-cyclonedx.xml ├── +++ target/bom.xml │ @@ -3134,21 +3134,14 @@ │ <component type="library" bom-ref="pkg:maven/org.apache.maven.plugins/maven-surefire-plugin@3.5.2?classifier=site-source&type=zip"> │ <publisher>The Apache Software Foundation</publisher> │ <group>org.apache.maven.plugins</group> │ <name>maven-surefire-plugin</name> │ <version>3.5.2</version> │ <description>Maven Surefire MOJO in maven-surefire-plugin.</description> │ <scope>required</scope> │ - <hashes> │ - <hash alg="MD5">dd320a8478e6ea952c5ac14bd108011c</hash> │ - <hash alg="SHA-1">483161f6a49714e3a6a76a97178f3e03ab5854e6</hash> │ - <hash alg="SHA-256">f54dce1a8c1d32d56891c2d9d99a98a5b3559d56a812485b8e96aff502d50589</hash> │ - <hash alg="SHA-512">613bc473b11cf31bcc7f2128ba17de91a0fafaac4d176fc696f83fba6eff2f4b5d1e2ae0ebd4fadca4ecfbecb4a26ace6db8ca3379f19139eb66f0bb3322a04d</hash> │ - <hash alg="SHA-384">6ce1ff8197aabff101583ce5078719ee0c9d9af620163d0854920f84f9bdb93433a6006a2671575c75f1b76a2aabd489</hash> │ - </hashes> │ <licenses> │ <license> │ <id>Apache-2.0</id> │ <url>https://www.apache.org/licenses/LICENSE-2.0</url> │ </license> │ </licenses> │ <purl>pkg:maven/org.apache.maven.plugins/maven-surefire-plugin@3.5.2?classifier=site-source&type=zip</purl> Regards, Hervé Le jeudi 31 octobre 2024, 09:47:23 CET Michael Osipov a écrit : > Can you provide a diff because the SBOM is huge? > > On 2024/10/31 07:01:41 Herve Boutemy wrote: > > +1 > > > > Reproducible Builds near fully ok: reference build done with JDK 8 on > > Windows > > > > the only small difference in my rebuild is the aggregate CycloneDX SBOM: I > > don't know how you did, but in the reference files, if contains hash for > > the plugin, which is supposed not to be built yet, hence in my rebuild > > the hash is not present > > > > Definitively not a blocker, but I'd be interested to understand > > > > Regards, > > > > Hervé > > > > On 2024/10/30 12:20:09 Michael Osipov wrote: > > > Hi, > > > > > > we solved 6 issues: > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=1231792 > > > 7&version=12355213 > > > > > > There are still a couple of issues left in JIRA: > > > https://issues.apache.org/jira/issues/?jql=project%20%3D%20SUREFIRE%20AN > > > D%20resolution%20%3D%20Unresolved > > > > > > Staging repo: > > > https://repository.apache.org/content/repositories/maven-2241/ > > > https://repository.apache.org/content/repositories/maven-2241/org/apache > > > /maven/surefire/surefire/3.5.2/surefire-3.5.2-source-release.zip > > > > > > Source release checksum(s): > > > surefire-3.5.2-source-release.zip > > > sha512: > > > 7b49b5afca052f1beb0a455525425aeecfde033b211b469860188a9b849675efdaa0758e > > > 05c1548ff87e4c3df627c602d58cc3735d57629b9ca8f1b1e3fe55d8 > > > > > > Staging site: > > > https://maven.apache.org/surefire-archives/surefire-LATEST/ > > > > > > Guide to testing staged releases: > > > https://maven.apache.org/guides/development/guide-testing-releases.html > > > > > > Vote open for 72 hours. > > > > > > [ ] +1 > > > [ ] +0 > > > [ ] -1 > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > For additional commands, e-mail: dev-h...@maven.apache.org > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
