Hi Gary,
On 12.04.2025 19:59, Gary Gregory wrote:
Please review the release candidate and vote. This vote will close > no sooner than 72 hours from now. [ ] +1 Release these artifacts [ ]
> +0 OK, but... [ ] -0 OK, but really should fix... [ ] -1 I oppose >
this release because...
+1, release these artifacts even if the CycloneDX SBOM contains errors.
I have performed the following checks:
1. I checked the checksums and your signatures on the archives.
2. Run the tests and verified reproducibility using:
openjdk version "21.0.6" 2025-01-21 LTS
OpenJDK Runtime Environment Temurin-21.0.6+7 (build 21.0.6+7-LTS)
OpenJDK 64-Bit Server VM Temurin-21.0.6+7 (build 21.0.6+7-LTS, mixed
mode, sharing)
Apache Maven 3.8.7
Maven home: /usr/share/maven
Java version: 21.0.6, vendor: Eclipse Adoptium, runtime:
/usr/lib/jvm/temurin-21-jdk-amd64
Default locale: pl_PL, platform encoding: UTF-8
OS name: "linux", version: "6.1.0-18-amd64", arch: "amd64", family: "unix"
export TZ=UTC
mvn verify artifact:compare \
-Prelease -Pjacoco -Pjapicmp \
-Dreference.repo=https://repository.apache.org/content/repositories/orgapachecommons-1819
\
-Dbuildinfo.ignore='*/*.spdx.json'
The CycloneDX SBOM contains the wrong hash for `commons-logging`.
As soon as I release `sbom-enforcer` that has a check for it I will
consider these problems blocking.
Piotr
[1] https://github.com/sbom-enforcer/sbom-enforcer
