Hi Hervé, I've tried to check my release via the suggested recipe...
Downloaded the maven-studies repo and build the following commit: 90b426758363123af6fcc9aa7190b837c0551359 (mvn clean install) Downloaded the source package curl -O https://repository.apache.org/content/repositories/maven-1555/org/apache/maven/plugins/maven-dependency-plugin/3.1.2/maven-dependency-plugin-3.1.2-source-release.zip unzip maven-dependency-plugin-3.1.2-source-release.zip cd maven-dependency-plugin-3.1.2 and tried to run the following: mvn -Papache-release verify buildinfo:save -Dgpg.skip -Dreference.repo=https://repository.apache.org/content/repositories/maven-1555/ and got the following: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-buildinfo-plugin:1.0-SNAPSHOT:save (default-cli) on project maven-dependency-plugin: Error resolving reference artifact org.apache.maven.plugins:maven-dependency-plugin:buildinfo:3.1.2: Could not transfer artifact org.apache.maven.plugins:maven-dependency-plugin:buildinfo:3.1.2 from/to reference (https://repository.apache.org/content/repositories/maven-1555/): Cannot access https://repository.apache.org/content/repositories/maven-1555/ with type using the available connector factories: BasicRepositoryConnectorFactory: Cannot access https://repository.apache.org/content/repositories/maven-1555/ with type using the available layout factories: Maven2RepositoryLayoutFactory: Unsupported repository layout -> [Help 1] [ERROR] Kind regards Karl Heinz Marbaise On 07.03.20 11:36, Hervé BOUTEMY wrote:
Hi, Yesterday, I made a key step forward for Reproducible Builds with Maven: I wrote code to easily check that your local build produces the same binaries as the reference binaries published either to staging or to Central repository. For a live example, see the last paragraph of Maven Site Plugin vote that just started [1]. Process to check build output is based on a single plugin goal, currently named buildinfo:save [2]: 1. it creates a buildinfo file during build recording output fingerprints, that will eventually in the future be published to Central repository 2. it downloads reference artifacts and/or reference buildinfo and checks that the output of the local build is the same as the reference. Now I want to discuss: is it clear? can you test and report, please? If the feedback is positive, the next question will be: in which plugin should we put this goal to make a release and add it to our parent pom during release, so we publish reference buildinfo along our reference binaries to Central repository. Thanks for your feedback Regards, Hervé [1] https://lists.apache.org/thread.html/rd3af15d383ddceeb950cd90569e3dcdd6e5a0f5d3cd653ec534b0609%40%3Cdev.maven.apache.org%3E [2] https://github.com/apache/maven-studies/tree/maven-buildinfo-plugin
--------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
