Thanks for checking this Toshiya, I will take over and give a look. Mario
On 2024/06/20 10:07:28 Toshiya Kobayashi wrote: > On my local machine, `mvn clean verify artifact:compare` results in: > ``` > [INFO] --- artifact:3.4.1:compare (default-cli) @ drools-core --- > [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit > rebuilders reproducible source checkout > [INFO] Reference buildinfo file not found: it will be generated from > downloaded reference artifacts > [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) > [INFO] Reference build os.name: Unix (from pom.properties newline) > [INFO] Minimal buildinfo generated from downloaded artifacts: > /home/tkobayas/usr/work/reproducible/drools/drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo > [ERROR] size mismatch drools-core-999-SNAPSHOT-tests.jar: investigate with > diffoscope drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > drools-core/target/drools-core-999-SNAPSHOT-tests.jar > [ERROR] Reproducible Build output summary: 4 files ok, 1 different > [ERROR] see diff > drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo > drools-core/target/drools-core-999-SNAPSHOT.buildinfo > [ERROR] see also > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > [INFO] Reproducible Build output comparison saved to > /home/tkobayas/usr/work/reproducible/drools/drools-core/target/drools-core-999-SNAPSHOT.buildcompare > [INFO] Aggregate buildcompare copied to > /home/tkobayas/usr/work/reproducible/drools/target/drools-parent-999-SNAPSHOT.buildcompare > ``` > > diffoscope output: > ``` > $ diffoscope > drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > drools-core/target/drools-core-999-SNAPSHOT-tests.jar > --- drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > +++ drools-core/target/drools-core-999-SNAPSHOT-tests.jar > ├── zipinfo {} > │ @@ -1,8 +1,8 @@ > │ -Zip file size: 232564 bytes, number of entries: 220 > │ +Zip file size: 233299 bytes, number of entries: 221 > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 META-INF/ > │ -rw-r--r-- 2.0 unx 505 b- defN 24-Jan-12 00:00 META-INF/MANIFEST.MF > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/ > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/drools/ > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/drools/core/ > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 > org/drools/core/base/ > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 > org/drools/core/base/accumulators/ > │ @@ -188,14 +188,15 @@ > │ -rw-r--r-- 2.0 unx 435 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestAbstract.class > │ -rw-r--r-- 2.0 unx 450 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestAbstractImpl.class > │ -rw-r--r-- 2.0 unx 1547 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestBean.class > │ -rw-r--r-- 2.0 unx 205 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestInterface.class > │ -rw-r--r-- 2.0 unx 556 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestInterfaceImpl.class > │ -rw-r--r-- 2.0 unx 1910 b- defN 24-Jan-12 00:00 > org/drools/core/util/asm/TestObject.class > │ -rwxr-xr-x 2.0 unx 644 b- defN 24-Jan-12 00:00 > org/drools/core/util/droolsClient.keystore > │ +-rw-r--r-- 2.0 unx 624 b- defN 24-Jan-12 00:00 > org/drools/core/util/droolsServer.jceks > │ -rwxr-xr-x 2.0 unx 1350 b- defN 24-Jan-12 00:00 > org/drools/core/util/droolsServer.keystore > │ -rw-r--r-- 2.0 unx 865 b- defN 24-Jan-12 00:00 > org/drools/core/util/engine.policy > │ -rw-r--r-- 2.0 unx 5312 b- defN 24-Jan-12 00:00 > org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class > │ -rw-r--r-- 2.0 unx 3293 b- defN 24-Jan-12 00:00 > org/drools/core/util/index/IndexUtilTest$FakeReadAccessor.class > │ -rw-r--r-- 2.0 unx 7673 b- defN 24-Jan-12 00:00 > org/drools/core/util/index/IndexUtilTest.class > │ -rw-r--r-- 2.0 unx 3443 b- defN 24-Jan-12 00:00 > org/drools/core/util/index/RangeIndexTest.class > │ -rw-r--r-- 2.0 unx 1012 b- defN 24-Jan-12 00:00 > org/drools/core/util/kie.policy > │ @@ -215,8 +216,8 @@ > │ -rw-r--r-- 2.0 unx 21806 b- defN 24-Jan-12 00:00 pkg/mortgages.pkg > │ -rw-r--r-- 2.0 unx 1799 b- defN 24-Jan-12 00:00 > rule-agent-config.properties > │ -rw-r--r-- 2.0 unx 2209 b- defN 24-Jan-12 00:00 > rule-base-rule-agent-config.properties > │ -rw-r--r-- 2.0 unx 893 b- defN 24-Jan-12 00:00 > sample-agent-config.properties > │ -rw-r--r-- 2.0 unx 31057 b- defN 24-Jan-12 00:00 waltz12.dat > │ -rw-r--r-- 2.0 unx 8039 b- defN 24-Jan-12 00:00 > META-INF/maven/org.drools/drools-core/pom.xml > │ -rw-r--r-- 2.0 unx 63 b- defN 24-Jan-12 00:00 > META-INF/maven/org.drools/drools-core/pom.properties > │ -220 files, 560891 bytes uncompressed, 196398 bytes compressed: 65.0% > │ +221 files, 561515 bytes uncompressed, 196979 bytes compressed: 64.9% > ├── zipnote «TEMP»/diffoscope_e6bcvig3_target/tmpceiwpf7e_.zip > │ @@ -573,14 +573,17 @@ > │ > │ Filename: org/drools/core/util/asm/TestObject.class > │ Comment: > │ > │ Filename: org/drools/core/util/droolsClient.keystore > │ Comment: > │ > │ +Filename: org/drools/core/util/droolsServer.jceks > │ +Comment: > │ + > │ Filename: org/drools/core/util/droolsServer.keystore > │ Comment: > │ > │ Filename: org/drools/core/util/engine.policy > │ Comment: > │ > │ Filename: > org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class > > ``` > > `droolsServer.jceks` seems to be the problem. Sorry that I'll be off until > next Tuesday. I may occupationally investigate it, but it would be great if > someone can fix it. > > Cheers, > Toshiya > > On Thu, Jun 20, 2024 at 12:20 AM Alex Porcelli <[email protected]> wrote: > > > Just tried at the drools repo and it failed in the reproducible build > > when I run `mvn clean verify artifact:compare` :( > > > > On Fri, Jun 14, 2024 at 12:08 PM Jan Šťastný <[email protected]> > > wrote: > > > > > > Hello all, > > > > > > In discussion with security team I've been asked to provide answers to > > > following questions on how we fullfil security requirements that go with > > > the automated GPG signing in ci environment: > > > > > > https://infra.apache.org/release-signing.html#automated-release-signing > > > requires that the build is binary reproducible and that "The release > > > procedure contains a validation step where all artifacts are reproduced > > on > > > trusted hardware ( > > > > > https://www.apache.org/legal/release-policy.html#owned-controlled-hardware > > ) > > > before publication to pages intended for end users" > > > > > > I'd like to ask everyone for assistance, especially in confirming that > > our > > > builds are reproducible , but also help me to interpret the trusted > > > hardware request. > > > > > > More I think about this the more I tend to think we will be asked to > > > provide some documentation of how we release as a reference. > > > > > > Regards > > > Jan > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
