Re: [ALL] Reproducible builds

2025-01-27 Thread Herve Boutemy
it would be more a feature request = "build SPDX output in a reproducible way" for now, I generally ignore SPDX output when checking rebuild output: I do not have time to contribute more to spdx-maven-plugin Regards, Hervé On 2025/01/24 13:19:53 Gary Gregory wrote: > Piotr, > > Is there at le

Re: [ALL] Reproducible builds

2025-01-24 Thread Gary Gregory
Piotr, Is there at least a bug to report to the SPDX project? Gary On Sun, Jan 12, 2025 at 11:03 AM Piotr P. Karwasz wrote: > > Hi Gary, > > On 12.01.2025 13:40, Gary Gregory wrote: > > [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with > > diffoscope target/reference/common

Re: [ALL] Reproducible builds

2025-01-12 Thread Gary Gregory
On Sun, Jan 12, 2025 at 11:03 AM Piotr P. Karwasz wrote: > > Hi Gary, > > On 12.01.2025 13:40, Gary Gregory wrote: > > [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with > > diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json > > target/site/commons-cli_commons

Re: [ALL] Reproducible builds

2025-01-12 Thread Piotr P. Karwasz
Hi Gary, On 12.01.2025 13:40, Gary Gregory wrote: [ERROR] sha512 mismatch commons-cli-1.10.0.spdx.json: investigate with diffoscope target/reference/commons-cli/commons-cli-1.10.0.spdx.json target/site/commons-cli_commons-cli-1.10.0.spdx.json [ERROR] Reproducible Build output summary: 7 files ok

Re: [ALL] Reproducible builds

2025-01-12 Thread Gary Gregory
So, I built a release candidate for Apache Commons CSV but did not call a vote. Tell me (Piotr, Herve, ...) if I get this right: I downloaded https://dist.apache.org/repos/dist/dev/commons/cli/1.10.0-RC1/source/commons-cli-1.10.0-src.zip and: cd ~/rc unzip commons-cli-1.10.0-src.zip cd commons-

Re: [ALL] Reproducible builds

2025-01-11 Thread Piotr P. Karwasz
Hi Gary, On 11.01.2025 15:59, Gary Gregory wrote: In a vote thread, Herve wrote: " install should seriously be avoided when voting, but verify or package And with mvn clean verify site -s "$HOME/.m2/commons-settings.xml" artifact:compare -Dreference.repo=https://repository.apache.org/content/r

[ALL] Reproducible builds

2025-01-11 Thread Gary Gregory
In a vote thread, Herve wrote: " install should seriously be avoided when voting, but verify or package And with mvn clean verify site -s "$HOME/.m2/commons-settings.xml" artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/staging/ any voter can get his own check