Piotr, Here you go:
mvn verify -Prelease artifact:compare -Dreference.repo=https://repository.apache.org/content/repositories/orgapachelogging-1309 diff target/reference/log4j-bom-2.24.3.buildinfo target/log4j-bom-2.24.3.buildinfo 0a1,2 > # https://reproducible-builds.org/docs/jvm/ > buildinfo.version=1.0-SNAPSHOT 1a4,25 > name=Apache Log4j BOM > group-id=org.apache.logging.log4j > artifact-id=log4j-bom > version=2.24.3 > > # source information > source.scm.uri=scm:git:https://github.com/apache/logging-log4j2.git > source.scm.tag=2.x > > # build instructions > build-tool=mvn > > # effective build environment information > java.version=17.0.13 > java.vendor=Homebrew > os.name=Mac OS X > > # Maven rebuild instructions and effective environment > mvn.version=3.9.9 > > # output > 10c34 < outputs.1.checksums.sha512=8900c0a206a9d41059bf13db311c281d36930f50196c5a84d12027082d0925030e2b761c1e36b399081ed5b0bad44182796f8e603bd2aac558d66234ca32d25e --- > outputs.1.checksums.sha512=bae945328761c0947b1778a62c4363ce3a436b870258e86a2e74a8222d27228ac242d2c4685eb5075b2617ee7fee99a9006e3226643adca30f4d8b729f13e136 Gary On Tue, Dec 10, 2024 at 8:52 AM Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote: > > Hi Gary, > > On 10.12.2024 13:26, Gary Gregory wrote: > > Using: > > > > mvn verify -Prelease artifact:compare > > -Dreference.repo=https://repository.apache.org/content/repositories/orgapachelogging-1309 > > > > (Should' we also say "clean"?) > I don't believe `clean` is necessary. I ran `mvnw verify > artifact:compare` twice and there are no differences in the generated > artifacts. > > [ERROR] sha512 mismatch log4j-bom-2.24.3-cyclonedx.xml: investigate > > with diffoscope > > target/reference/org.apache.logging.log4j/log4j-bom-2.24.3-cyclonedx.xml > > target/bom.xml > > > > Any ideas? > > Can you compare the two files above? > > Piotr
