Built from the source tar.gz archive on JDK 17 and 8: $ mvn # (default goal)
Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/ah403/mvn/mvn Java version: 17.0.17, vendor: Eclipse Adoptium, runtime: /Library/Java/JavaVirtualMachines/temurin-17.jdk/Contents/Home Default locale: en_GB, platform encoding: UTF-8 OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" $ mvn clean verify site Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/ah403/mvn/mvn Java version: 1.8.0_472, vendor: Temurin, runtime: /Library/Java/JavaVirtualMachines/temurin-8.jdk/Contents/Home/jre Default locale: en_GB, platform encoding: UTF-8 OS name: "mac os x", version: "26.3.1", arch: "x86_64", family: "mac" Note: This runs 'prepare-checkout' which downloads the current site using svn. This is useful for release managers to update the site by copying target/site to site-contents. It is not useful for a consumer of the source who would like to locally build the site. I think this should be run via an opt in profile. The rat report has 43 unapproved files. This is the same issue seen with the rat report in recent releases of commons RNG and Numbers using commons parent 98. The parent did not duplicate the excludes configuration between build (where it works) and reporting (where it does not exclude project appended excludes). japicmp looks OK. New API has correct spelling/grammar. Note: There is a @since 2.13.0 in the javadoc for the new FlushShieldOutputStream.Builder. All other new API have the correct @since 2.22.0 tag. Spotbugs clean. Jira report is OK. There are many tickets not associated with a version and these go to the top of the report. Some are very old and still not closed although they are resolved. I think a bulk close of tickets with a tag would have missed closing them. Check reproducibility: does not work for me: mvn clean verify artifact:compare -DskipTests -Dreference.repo= https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json' [INFO] Reference build java.version: 21 (from MANIFEST.MF Build-Jdk-Spec) [ERROR] Current build java.version: 1.8 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /private/tmp/commons-io-2.22.0-src/target/reference/commons-io-2.22.0.buildinfo [ERROR] size mismatch commons-io-2.22.0.jar: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0.jar target/commons-io-2.22.0.jar [ERROR] size mismatch commons-io-2.22.0-tests.jar: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0-tests.jar target/commons-io-2.22.0-tests.jar [ERROR] size mismatch commons-io-2.22.0-sources.jar: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0-sources.jar target/commons-io-2.22.0-sources.jar [ERROR] size mismatch commons-io-2.22.0-test-sources.jar: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0-test-sources.jar target/commons-io-2.22.0-test-sources.jar [ERROR] size mismatch commons-io-2.22.0-cyclonedx.xml: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0-cyclonedx.xml target/commons-io-2.22.0-bom.xml [ERROR] size mismatch commons-io-2.22.0-cyclonedx.json: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0-cyclonedx.json target/commons-io-2.22.0-bom.json [ERROR] [Reproducible Builds] rebuild comparison result: 1 files match, 6 differ, 1 ignored [ERROR] saved to target/commons-io-2.22.0.buildcompare [ERROR] [Reproducible Builds] to analyze the differences, see diffoscope instructions in target/commons-io-2.22.0.buildcompare [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html Note sure what is wrong here. The diffoscope command shows a big difference. Obviously my JDK 8 build does not match the JDK 21 build. Switch to JDK 21: Apache Maven 3.9.4 (dfbb324ad4a7c8fb0bf182e6d91b0ae20e3d2dd9) Maven home: /Users/ah403/mvn/mvn Java version: 21.0.9, vendor: Eclipse Adoptium, runtime: /Library/Java/JavaVirtualMachines/temurin-21.jdk/Contents/Home Default locale: en_GB, platform encoding: UTF-8 OS name: "mac os x", version: "26.3.1", arch: "aarch64", family: "mac" Here I get a better match but it still errors: [INFO] --- artifact:3.6.1:compare (default-cli) @ commons-io --- [INFO] Saved info on build to /private/tmp/commons-io-2.22.0-src/target/commons-io-2.22.0.buildinfo [INFO] Checking against reference build from https://repository.apache.org/content/repositories/staging/... [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 21 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /private/tmp/commons-io-2.22.0-src/target/reference/commons-io-2.22.0.buildinfo [ERROR] sha512 mismatch commons-io-2.22.0.jar: investigate with diffoscope target/reference/commons-io/commons-io-2.22.0.jar target/commons-io-2.22.0.jar [ERROR] [Reproducible Builds] rebuild comparison result: 6 files match, 1 differ, 1 ignored [ERROR] saved to target/commons-io-2.22.0.buildcompare [ERROR] [Reproducible Builds] to analyze the differences, see diffoscope instructions in target/commons-io-2.22.0.buildcompare [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html The diffoscope is always for a character mismatch between '\' and 'd' so it could be a platform encoding issue. E.g. $ diffoscope target/reference/commons-io/commons-io-2.22.0.jar target/commons-io-2.22.0.jar --- target/reference/commons-io/commons-io-2.22.0.jar +++ target/commons-io-2.22.0.jar │┄ Command `'zipdetails --redact --utc {}'` failed with exit code 255. Standard output: │┄ Unknown option: redact │┄ Unknown option: utc │┄ Invalid command line option │┄ │┄ │┄ zipdetails [OPTIONS] file │┄ │┄ Display details about the internal structure of a Zip file. │┄ │┄ This is zipdetails version 2.02 [...] │┄ Archive contents identical but files differ, possibly due to different compression levels. Falling back to binary comparison. @@ -1,12 +1,12 @@ -00000000: 504b 0304 1400 0808 0800 eb5c 935c 0000 PK.........\.\.. +00000000: 504b 0304 1400 0808 0800 eb64 935c 0000 PK.........d.\.. 00000010: 0000 0000 0000 0000 0000 0900 0400 4d45 ..............ME 00000020: 5441 2d49 4e46 2ffe ca00 0003 0050 4b07 TA-INF/......PK. 00000030: 0800 0000 0002 0000 0000 0000 0050 4b03 .............PK. -00000040: 0414 0008 0808 00eb 5c93 5c00 0000 0000 ........\.\..... +00000040: 0414 0008 0808 00eb 6493 5c00 0000 0000 ........d.\..... 00000050: 0000 0000 0000 0014 0000 004d 4554 412d ...........META- I am not sure this really matters. +1: Release these artifacts Alex On Sun, 19 Apr 2026 at 13:13, Gary Gregory <[email protected]> wrote: > We have fixed a few bugs and added enhancements since the release of > Apache Commons IO 2.21.0, so I would like to release Apache Commons IO > 2.22.0. > > Apache Commons IO 2.22.0 RC2 is available for review here: > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2 (svn > revision 83912) > > The Git tag commons-io-2.22.0-RC2 commit for this RC is > c14acc16f73e44a75b2062b17aacb26c4feda746, which you can browse here: > > https://gitbox.apache.org/repos/asf?p=commons-io.git;a=commit;h=c14acc16f73e44a75b2062b17aacb26c4feda746 > You may checkout this tag using: > git clone https://gitbox.apache.org/repos/asf/commons-io.git > --branch commons-io-2.22.0-RC2 commons-io-2.22.0-RC2 > > Maven artifacts are here: > > https://repository.apache.org/content/repositories/orgapachecommons-1930/commons-io/commons-io/2.22.0/ > > These are the artifacts and their hashes: > > #Release SHA-512s > #Sun Apr 19 12:01:22 UTC 2026 > > commons-io-2.22.0-bin.tar.gz=aa8184f097ee9d43b2fbe56a82ca1ed3f0f4c153687cc18c4d218601948270a92a69c36224317db236715064946a3799727de5c3e57c536ddbaf61a98d84c737 > > commons-io-2.22.0-bin.zip=08e0da663c61cf01f56af3310cc9999c94d96f431e6025e25f83c666e7a1ff0278cf35b5eade2ef0c12f4621c9de0eaa2fbf8ae3d83ce6c7dee4f763d5545edd > > commons-io-2.22.0-bom.json=4c60288b55646b10477366adf7cf377851138c74b03aee6a9271759ef98612067a6a9b599e04875ff598e69099f0c1ed59f3e9d27942e6dda71f933830038156 > > commons-io-2.22.0-bom.xml=15d218ec2ce3f5a7f8617b018b7b8ba72326d42da6b43802bdc6c204ed14ce33ae86643cf12e42fb2e5f36c9723b739f27f0e3634ccb1cbd8055045384763e5b > > commons-io-2.22.0-javadoc.jar=f4b107e3e3f3a506687f43b32dead2d47ba86f9f1890255cd1d2f3b6282768153b929e14c0304e6c5cfc84c35f44e0d4ba6e35ec757d13dd7e49bf7d43f7d287 > > commons-io-2.22.0-sources.jar=8efd430402f1efc21c9bb14e6189941f5edd4bab71e2426717d67a6957aa4f857394c9214887606a21cc7fb08c102d919bd194bfeafa6396a2ebce62336e28ed > > commons-io-2.22.0-src.tar.gz=75029377b023180f518f2a4fd3079bb032f0975a9a1826a332e08c615a5f7ed55e4332f7d9964962bdef36aa42e36642dd36f877a9760a266aad2fd003a762fb > > commons-io-2.22.0-src.zip=5a6db8e897e55e923ae6d24ea6b0aa8c264dd85fdc0aafa2885c480b0b1444d8e801f9c4e308973e16ef62bc0bb8bd91431bc8716b36be0756f01de4dbe96649 > > commons-io-2.22.0-test-sources.jar=f3b7f3a65dbac653c0abadfae99284cf8e2f96eb91497b1dfbe966b8cf81837405e89656da531a188bae43b557effd41b10ff577f43d27f5a42d201c57fe33c7 > > commons-io-2.22.0-tests.jar=569dbc8c43ea079bf197a2f5f80564121da51670e1233f333567968863ee5fd16689b9e7e88e235d9621d4b81ead6bd122600be6352c03394db990eee83f261e > > commons-io_commons-io-2.22.0.spdx.json=7de9362d3ac4b055889f571eef6ff77dc6fc7efbf855c2c680052728c6adf1be1f5bba208c13db8d5ab52b4e06a8ef2e03dcab576302644183dffe6f83f7764b > > > > I have tested this with 'mvn' and 'mvn clean install site' using: > > openjdk version "21.0.10" 2026-01-20 > OpenJDK Runtime Environment Homebrew (build 21.0.10) > OpenJDK 64-Bit Server VM Homebrew (build 21.0.10, mixed mode, sharing) > > Apache Maven 3.9.15 (98b2cdbfdb5f1ac8781f537ea9acccaed7922349) > Maven home: /opt/homebrew/Cellar/maven/3.9.15/libexec > Java version: 21.0.10, vendor: Homebrew, runtime: > /opt/homebrew/Cellar/openjdk@21/21.0.10/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "26.4.1", arch: "aarch64", family: "mac" > > Darwin ****.local 25.4.0 Darwin Kernel Version 25.4.0: Thu Mar 19 > 19:33:25 PDT 2026; root:xnu-12377.101.15~1/RELEASE_ARM64_T6041 arm64 > > Docker version 29.4.0, build 9d7ad9f > > > Details of changes since 2.21.0 are in the release notes: > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/RELEASE-NOTES.txt > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/changes.html > > Site: > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/index.html > (Note some *relative* links are broken and the 2.22.0 directories > are not yet created - these will be OK once the site is deployed.) > > JApiCmp Report (compared to 2.21.0): > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/japicmp.html > > RAT Report: > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/site/rat-report.html > > KEYS: > https://downloads.apache.org/commons/KEYS > > Please review the release candidate and vote. > This vote will close no sooner than 72 hours from now. > > [ ] +1 Release these artifacts > [ ] +0 OK, but... > [ ] -0 OK, but really should fix... > [ ] -1 I oppose this release because... > > Thank you, > > Gary Gregory, > Release Manager (using key 530AA5F25C25011F) > > The following is intended as a helper and refresher for reviewers. > > Validating a release candidate > ============================== > > These guidelines are NOT complete. > > Requirements: Git, Java, and Maven. > > You can validate a release from a release candidate (RC) tag as follows. > > 1a) Download and decompress the source archive from: > > https://dist.apache.org/repos/dist/dev/commons/io/2.22.0-RC2/source > > 1b) Check out the RC tag from git (optional) > > This is optional, as a reviewer must at least check source distributions. > > git clone https://gitbox.apache.org/repos/asf/commons-io.git --branch > commons-io-2.22.0-RC2 commons-io-2.22.0-RC2 > cd commons-io-2.22.0-RC2 > > 2) Checking the build > > All components should include a default Maven goal, such that you can > run 'mvn' from the command line by itself. > > 2) Check Apache licenses > > This step is not required if the site includes a RAT report page, > which you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn apache-rat:check > > 3) Check binary compatibility > > This step is not required if the site includes a JApiCmp report page, > which you then must check. > This check should be included in the default Maven build, but you can > check it with: > > mvn verify -DskipTests -P japicmp japicmp:cmp > > 4) Build the package > > This check should be included in the default Maven build, but you can > check it with: > > mvn -V clean package > > You can record the Maven and Java version produced by -V in your VOTE > reply. > To gather OS information from a command line: > Windows: ver > Linux: uname -a > > 4b) Check reproducibility > > To check that a build is reproducible, run: > > mvn clean verify artifact:compare -DskipTests > -Dreference.repo= > https://repository.apache.org/content/repositories/staging/ > '-Dbuildinfo.ignore=*/*.spdx.json' > > Note that this excludes SPDX files from the check. > > 5) Build the site for a single module project > > Note: Some plugins require the components to be installed instead of > packaged. > > mvn site > Check the site reports in: > - Windows: target\site\index.html > - Linux: target/site/index.html > > -the end- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
