Howdy, Just FTR, the 1.9.12 release staging repository changed to: https://repository.apache.org/content/repositories/maven-1965/
This is SAME source release as maven-1962 (vote original staging repository) as SHA512 shows, in fact, EVERY binary is identical (checksum wise) as well, given resolver build is reproducible. The only difference is named-locks Redisson bundle.zip as found by Herve (that was broken due to my environment). It is fixed and made reproducible as well (was fixed by fixing my own environment). Thanks T On Sat, Jun 17, 2023 at 9:57 AM Romain Manni-Bucau <rmannibu...@gmail.com> wrote: > Wouldnt it mean we are sure it was not consommed? Can we check it on nexus? > That said not a blocker today for me since most downstream binaries are not > reproducible anyway. > > Le sam. 17 juin 2023 à 08:56, Guillaume Nodet <gno...@apache.org> a écrit > : > > > Le sam. 17 juin 2023 à 02:50, Hervé Boutemy <herve.bout...@free.fr> a > > écrit : > > > > > yes, same happened in 1.9.11: this is where I found this first, while > > > checking for Reproducible Central > > > > > > > > > > > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/maven/resolver/maven-resolver/README.md > > > > > > > > > Yes, dropping your local repo would be nice to avoid such unexpected > > state > > > > > > Lately, umask has been a pain to Reproducible Builds: it gives much > > weight > > > to an environment aspect, with Linux distros changing their default > value > > > recently. > > > > > > > > > On Resolver 1.9.12, we have now multiple options: > > > 1. drop 1.9.12 and go to 1.9.13: looks overkill to me > > > 2. let 1.9.12 binaries as is: reasonable > > > 3. rebuild a new staging repository from Git tag: I'd love this one to > be > > > at least thought a little bit before saying no > > > > > > > Good idea. > > Even if the build was not reproducible, the vote has not been closed and > > the release has not been published, so we can actually rebuild the > > distributions (or even the tag, but that's a different topic). So I > don't > > think we should give it much thoughts, we should just do it :-) > > > > > > > > > > Explanation: > > > Given in reality the build itself is reproducible, but the reference > > build > > > has just one file broken by your desktop environment, it means that if > > you > > > "mvn -Papache-release deploy" from the Git tag, you'll get a new > staging > > > repository that will contain the same binaries (in particular the same > > > -source-release.ziip and its sha512), just with a fixed > > > maven-resolver-named-locks-redisson-1.9.12-bundle.zip > > > The real files that will be different are the .asc files > > > We could later decide if we release to Maven Central from current > > > maven-1962 or the new one > > > > > > Are you ready to try? (and discover one of the nice benefit of > > > Reproducible Builds...) > > > > > > Regards, > > > > > > Hervé > > > > > > Le vendredi 16 juin 2023, 19:23:14 CEST Tamás Cservenák a écrit : > > > > Found it: that above is my laptop, while I did (both) release on my > > > desktop: > > > > > > > > [cstamas@urnebes ~]$ cd > > .m2/repository-oss/org/objenesis/objenesis/3.3/ > > > > [cstamas@urnebes 3.3]$ ll > > > > total 68 > > > > -rw-------. 1 cstamas cstamas 49423 2022 dec 15 objenesis-3.3.jar > > > > -rw-------. 1 cstamas cstamas 40 2022 dec 15 > > objenesis-3.3.jar.sha1 > > > > -rw-------. 1 cstamas cstamas 3007 2022 dec 15 objenesis-3.3.pom > > > > -rw-------. 1 cstamas cstamas 40 2022 dec 15 > > objenesis-3.3.pom.sha1 > > > > -rw-------. 1 cstamas cstamas 192 2022 dec 15 > _remote.repositories > > > > [cstamas@urnebes 3.3]$ > > > > > > > > Hence, the same should be true for 1.9.11 as well. Also, it seems > it's > > > time > > > > to nuke my local repo ;) > > > > > > > > Thanks > > > > T > > > > > > > > On Fri, Jun 16, 2023 at 7:16 PM Tamás Cservenák <ta...@cservenak.net > > > > > wrote: > > > > > Strange.... > > > > > > > > > > [cstamas@blondie ~]$ cd > > > .m2/repository-oss/org/objenesis/objenesis/3.3/ > > > > > [cstamas@blondie 3.3]$ ll > > > > > total 68 > > > > > -rw-r--r--. 1 cstamas cstamas 49423 dec 20 17.30 > objenesis-3.3.jar > > > > > -rw-r--r--. 1 cstamas cstamas 40 dec 20 17.30 > > > objenesis-3.3.jar.sha1 > > > > > -rw-r--r--. 1 cstamas cstamas 3007 dec 20 17.30 > objenesis-3.3.pom > > > > > -rw-r--r--. 1 cstamas cstamas 40 dec 20 17.30 > > > objenesis-3.3.pom.sha1 > > > > > -rw-r--r--. 1 cstamas cstamas 192 dec 20 17.30 > > _remote.repositories > > > > > [cstamas@blondie 3.3]$ > > > > > > > > > > Herve, while at this, please can you check 1.9.11 as well? IMHO > there > > > must > > > > > be the same issue present, or if not, am even more puzzled... > > > > > > > > > > T > > > > > > > > > > On Fri, Jun 16, 2023 at 7:13 PM Hervé Boutemy < > herve.bout...@free.fr > > > > > > > > > > > > > wrote: > > > > >> +1 > > > > >> > > > > >> notice that Reproducible Builds is NOT ok on 1 file: reference > build > > > done > > > > >> on > > > > >> *nix with JDK 17 and umask 022 > > > > >> > > > > >> the only issue is in > > > > >> maven-resolver-named-locks-redisson-1.9.12-bundle.zip: > > > > >> │--rw------- 2.0 unx 49423 b- defN 23-Jun-16 13:32 > > > objenesis-3.3.jar > > > > >> │+-rw-r--r-- 2.0 unx 49423 b- defN 23-Jun-16 13:32 > > > objenesis-3.3.jar > > > > >> it seems your local repository contains a objenesis-3.3.jar which > is > > > not > > > > >> group > > > > >> nor world wide readable > > > > >> > > > > >> Regards, > > > > >> > > > > >> Hervé > > > > >> > > > > >> Le vendredi 16 juin 2023, 15:57:43 CEST Tamás Cservenák a écrit : > > > > >> > Howdy, > > > > >> > > > > >> > We solved 1 issue: > > > > >> > > > > > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12320628 > > > > >> &ve>> > > > > >> > rsion=12353340 > > > > >> > > > > > >> > There are still some issues in JIRA: > > > > >> > https://issues.apache.org/jira/projects/MRESOLVER/issues > > > > >> > > > > > >> > Staging repository: > > > > >> > https://repository.apache.org/content/repositories/maven-1962/ > > > > >> > > > > >> > Source release SHA512: > > > > >> > > > > b24cbd998e1739a89eb693b764fef9f476d53a5b1546ffb87941afcdc9c76bdcd69cbf924 > > > > >> 782>> > > > > >> > ded6067388679446c25c166364cd9ac450e8ef17a70d3f1045ce > > > > >> > > > > > >> > Staging site: > > > > >> > https://maven.apache.org/resolver-archives/resolver-LATEST/ > > > > >> > > > > > >> > Guide to testing staged releases: > > > > >> > > > > > https://maven.apache.org/guides/development/guide-testing-releases.html > > > > >> > > > > > >> > Vote open for 72 hours. > > > > >> > > > > > >> > [ ] +1 > > > > >> > [ ] +0 > > > > >> > [ ] -1 > > > > >> > > > > >> > > --------------------------------------------------------------------- > > > > >> To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > > >> For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > > > For additional commands, e-mail: dev-h...@maven.apache.org > > > > > > > > > > -- > > ------------------------ > > Guillaume Nodet > > >
