I run, copied from the https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec:
mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun -Dcommons.release.isDistModule=false Then: mvn package package artifact:compare Which gives me: [INFO] --- artifact:3.5.0:compare (default-cli) @ commons-compress --- [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit rebuilders reproducible source checkout [INFO] Saved info on build to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildinfo [INFO] Checking against reference build from central... [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /Users/garydgregory/git/commons-compress/target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT-tests.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT-tests.jar target/commons-compress-1.25.1-SNAPSHOT-tests.jar [ERROR] sha512 mismatch commons-compress-1.25.1-SNAPSHOT.spdx.json: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.spdx.json target/site/org.apache.commons_commons-compress-1.25.1-SNAPSHOT.spdx.json [ERROR] Reproducible Build output summary: 5 files ok, 3 different [ERROR] see diff target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo target/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html [INFO] Reproducible Build output comparison saved to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildcompare [INFO] ------------------------------------------------------------------------ [INFO] BUILD FAILURE [INFO] ------------------------------------------------------------------------ ? TY, Gary On Fri, Dec 29, 2023 at 8:50 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi Gary, > > On Fri, 29 Dec 2023 at 13:37, Gary Gregory <garydgreg...@gmail.com> wrote: > > I do appreciate the fact that I can ask "Am I reproducible" but the > > output is... cryptic. > > Yes, unfortunately if the check fails, finding the reason of the > failure is hard. > > > For example: > > ... > > ├── META-INF/MANIFEST.MF > > │ @@ -65,11 +65,12 @@ > > │ b.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.cryp > > │ to.spec;resolution:=optional,org.apache.commons.codec.digest,org.apache > > │ .commons.io,org.apache.commons.io.file.attribute,org.apache.commons.io. > > │ input,org.apache.commons.io.output,org.apache.commons.commons-codec;res > > │ olution:=optional,org.apache.commons.commons-io;resolution:=optional > > │ Include-Resource: META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=N > > │ OTICE.txt > > │ +Originally-Created-By: Apache Maven Bundle Plugin 5.1.9 > > │ Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" > > │ Tool: Bnd-6.4.1.202306080939 > > │ Multi-Release: true > > You have a difference in the MANIFEST.MF that consists of an > additional "Originally-Created-By" header. > > Hervé already solved this mystery and you can find the Maven command > line required here: > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec > > The reproducibility problem is caused by multiple executions of the > Apache Maven Bundle Plugin. If you start with an empty `target` > directory: > > * the first execution creates a MANIFEST.MF file, notably a > "Created-By" header, > * the second execution reads the MANIFEST.MF file, changes it and > renames the "Created-By" header from the first execution into > "Originally-Created-By". > > TL;DR: Running `mvn package package artifact:compare` solves the problem. > > Piotr > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
