Hi Piotr, Please include whatever instructions you want folks to run in the vote email to prove reproducibility. Then at least we can agree on what it means to do the reproducibility check and when it passes or fails, assuming it's a binary property.
A long-standing pet peeve of mine is PMC members (in many projects, I'm not singling out Log4j here) that vote on a release candidate without stating _what_ they did to check the viability of said release. If this matters, it should be an Apache requirement, which it is not ATM AFAIK. Gary On Wed, Dec 27, 2023 at 4:26 AM Piotr P. Karwasz <piotr.karw...@gmail.com> wrote: > > Hi Gary, > > On Sat, 23 Dec 2023 at 17:45, Gary Gregory <garydgreg...@gmail.com> wrote: > > > > +1 > > - Tested src zip file > > - ASC OK > > - SHA512 OK > > - `mvn clean verify` OK > > - Using: > > Apache Maven 3.9.6 (bc0240f3c744dd6b6ec2920b3cd08dcc295161ae) > > Maven home: /usr/local/Cellar/maven/3.9.6/libexec > > Java version: 17.0.9, vendor: Homebrew, runtime: > > /usr/local/Cellar/openjdk@17/17.0.9/libexec/openjdk.jdk/Contents/Home > > Default locale: en_US, platform encoding: UTF-8 > > OS name: "mac os x", version: "14.2.1", arch: "x86_64", family: "mac" > > Darwin **** 23.2.0 Darwin Kernel Version 23.2.0: Wed Nov 15 21:54:10 > > PST 2023; root:xnu-10002.61.3~2/RELEASE_X86_64 x86_64 > > Could you also add a reproducibility check in your next votes? > > For security reasons we can not release artifacts generated by the CI > unless we can reproduce them locally or we know what exactly is the > reason they can not be reproduced. > This burden obviously falls on the Release Manager, but it would be > nice to have independent confirmations before performing the release. > > After an actual release the Hervé's Reproducible Central project also > verifies our artifacts, the results can be found here: > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/logging/log4j/log4j/README.md > > Additional projects (like Commons Logging) can be added with PRs like this > one: > > https://github.com/jvm-repo-rebuild/reproducible-central/pull/134 > > Piotr > > PS: I'll try to add PRs for your recent Commons releases, when I'll > have some time.
