Hi Piotr and all, Thank you for the refresher :-)
I do appreciate the fact that I can ask "Am I reproducible" but the output is... cryptic. For example: git clone https://gitbox.apache.org/repos/asf/commons-compress.git cd commons-compress mvn clean install -DskipTests mvn package artifact:compare \ -DskipTests \ -Dcyclonedx.skip \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip Tells me: [INFO] --- artifact:3.5.0:compare (default-cli) @ commons-compress --- [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit rebuilders reproducible source checkout [INFO] Saved info on build to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildinfo [INFO] Checking against reference build from central... [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /Users/garydgregory/git/commons-compress/target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar [ERROR] Reproducible Build output summary: 4 files ok, 1 different [ERROR] see diff target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo target/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html [INFO] Reproducible Build output comparison saved to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildcompare [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ and then: diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar --- target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar +++ target/commons-compress-1.25.1-SNAPSHOT.jar ├── zipinfo {} │ @@ -1,9 +1,9 @@ │ -Zip file size: 1058930 bytes, number of entries: 620 │ -?rw-r--r-- 2.0 unx 4615 bX defN 24-Jan-01 00:00 META-INF/MANIFEST.MF │ +Zip file size: 1058940 bytes, number of entries: 620 │ +?rw-r--r-- 2.0 unx 4672 bX defN 24-Jan-01 00:00 META-INF/MANIFEST.MF │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 META-INF/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/apache/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/apache/commons/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/archivers/ │ ?rwxr-xr-x 1.0 unx 0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/archivers/ar/ │ @@ -615,8 +615,8 @@ │ ?rw-r--r-- 2.0 unx 3009 bx defN 24-Jan-01 00:00 org/apache/commons/compress/utils/TimeUtils.class │ ?rw-r--r-- 2.0 unx 139 bx defN 24-Jan-01 00:00 org/apache/commons/compress/utils/package-info.class │ ?rw-r--r-- 2.0 unx 21657 bx defN 24-Jan-01 00:00 META-INF/maven/org.apache.commons/commons-compress/pom.xml │ ?rw-r--r-- 2.0 unx 79 bx defN 24-Jan-01 00:00 META-INF/maven/org.apache.commons/commons-compress/pom.properties │ -rw---- 1.0 fat 0 bx stor 24-Jan-01 00:00 META-INF/versions/ │ -rw---- 1.0 fat 0 bx stor 24-Jan-01 00:00 META-INF/versions/9/ │ -rw---- 2.0 fat 2495 bX defN 24-Jan-01 00:00 META-INF/versions/9/module-info.class │ -620 files, 2115694 bytes uncompressed, 921522 bytes compressed: 56.5% │ +620 files, 2115751 bytes uncompressed, 921532 bytes compressed: 56.5% ├── META-INF/MANIFEST.MF │ @@ -65,11 +65,12 @@ │ b.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.cryp │ to.spec;resolution:=optional,org.apache.commons.codec.digest,org.apache │ .commons.io,org.apache.commons.io.file.attribute,org.apache.commons.io. │ input,org.apache.commons.io.output,org.apache.commons.commons-codec;res │ olution:=optional,org.apache.commons.commons-io;resolution:=optional │ Include-Resource: META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=N │ OTICE.txt │ +Originally-Created-By: Apache Maven Bundle Plugin 5.1.9 │ Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" │ Tool: Bnd-6.4.1.202306080939 │ Multi-Release: true Hm.. now what? Gary On Thu, Dec 28, 2023 at 11:10 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi Gary, > > On Thu, 28 Dec 2023 at 16:03, Gary Gregory <garydgreg...@gmail.com> wrote: > > What value for $NEXUS_REPO would one use to verify repro _after_ a > > release? I want to experiment with Apache Commons components... > > The `reference.repo` system variable is used by the `referenceRepo` > parameter of `artifact:compare`: > > https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html > > with a default value of `central`, so you can skip setting the parameter. > > I can reproduce most of the artifacts in your latest Commons > Fileupload release with this incantation: > > export TZ=UTC > export JAVA_HOME=...path to JDK 17... > mvn package artifact:compare \ > -DskipTests \ > -Dcyclonedx.skip \ > -Dcommons.spdx.version=0.7.1 -Dspdx.skip > > The Maven Artifact Plugin only compares those artifacts, which are > attached to the current build, so skipping CycloneDX and SPDX > generation effectively prevents performing a reproducibility check on > those artifacts. > This is not ideal, but: > > * SPDX has a lot of reproducibility problems, > * CycloneDX is usually reproducible, but I am probably affected by > issue#410 [2], > * we actually only care about the binary artifacts and POMs, the rest > is a bonus. > > Piotr > > [1] https://github.com/jvm-repo-rebuild/reproducible-central > [2] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/410 > > PS: We are mixing threads from multiple lists. For those following > dev@commons, NEXUS_REPO is a reference to this thread from > dev@logging: > > https://lists.apache.org/thread/163ow0knp5q29hrsh1doqm3jwxkrzwoo > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
