Hi Gary, On 5.12.2025 14:25, Gary Gregory wrote: >> - Verified reproducibility with JDK 25 and timezone set to UTC. The >> binaries are reproducible, but the SBOM contains incorrect checksums >> for `commons-lang3` version `3.20.0`, likely due to a trailing RC in >> your local Maven repository. > > Do you think the only way to fix that is to delete my whole local > Maven repo before an RC?
That’s what I typically do when I encounter a reproducibility issue in the SBOM. To speed things up, I use Mímir [1] as a Maven extension: it caches artifacts retrieved from Central in a dedicated local cache that, unlike the Maven local repository, is not used for staging artifacts. As an alternative, we could use my SBOM Enforcer Maven plugin to validate SBOM metadata. It currently provides two rules, but checksum verification is one of them [2]. Over time, I plan to add more rules to cover additional SBOM aspects and eventually allow certain metadata to be overridden. Best, Piotr [1] https://github.com/maveniverse/mimir [2] https://sbom-enforcer.github.io/maven-plugin/usage.html#verify-dependency-checksums --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
