The commons release plugin includes this helper note: --- 4b) Check reproducibility
To check that a build is reproducible, run: mvn clean verify artifact:compare -DskipTests -Dreference.repo= https://repository.apache.org/content/repositories/staging/ '-Dbuildinfo.ignore=*/*.spdx.json' Note that this excludes SPDX files from the check. --- However there are some caveats: 1. The timezone must match. 2. The JDK must match the one used for the release build. I suggest the instructions be updated with this information, e.g. --- # Use JDK 11 export TZ="Europe/London" --- I believe the timezone may be solved by always building our releases using the TZ=UTC. But the correct JVM is still required. Thoughts on this? Alex
