Hi Gary, On Sat, 23 Dec 2023 at 17:45, Gary Gregory <garydgreg...@gmail.com> wrote: > > +1 > - Tested src zip file > - ASC OK > - SHA512 OK > - `mvn clean verify` OK > - Using: > Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) > Maven home: /usr/local/Cellar/maven/3.9.6/libexec > Java version: 17.0.9, vendor: Homebrew, runtime: > /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home > Default locale: en_US, platform encoding: UTF-8 > OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" > Darwin **** 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 > PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64
Could you also add a reproducibility check in your next votes? For security reasons we can not release artifacts generated by the CI unless we can reproduce them locally or we know what exactly is the reason they can not be reproduced. This burden obviously falls on the Release Manager, but it would be nice to have independent confirmations before performing the release. After an actual release the Hervé's Reproducible Central project also verifies our artifacts, the results can be found here: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/logging/log4j/log4j/README.md Additional projects (like Commons Logging) can be added with PRs like this one: https://github.com/jvm-repo-rebuild/reproducible-central/pull/134 Piotr PS: I'll try to add PRs for your recent Commons releases, when I'll have some time.
