ppkarwasz opened a new issue, #388: URL: https://github.com/apache/logging-parent/issues/388
## Description On Windows, many Maven plugins—including the CycloneDX Maven Plugin—emit files with `CRLF` line endings. Despite this, the `verify-reproducibility-reusable` workflow sometimes reports successful reproduction of binaries that were originally built on UNIX (with `LF` line endings). For example, see [workflow run #15108310068](https://github.com/apache/logging-log4j2/actions/runs/15108310068). This inconsistency strongly suggests that the workflow is unintentionally reusing a contaminated Maven cache shared with the `build-*` and `deploy-*` workflows. This shared cache may contain previously built artifacts, which can mask actual reproducibility issues and produce false positives. ## Proposed Solutions To eliminate these false positives and ensure true reproducibility verification, we can consider the following options: 1. **Avoid using the Maven local repository cache** in the `verify-reproducibility-reusable` workflow. 2. **Use a dedicated Maven cache** specifically for the `verify-reproducibility-reusable` workflow, separate from the one used by build and deploy workflows. 3. **Adopt [Mimir](https://github.com/maveniverse/mimir)** to cache only immutable artifacts from Maven Central. I've successfully integrated Mimir into the [SBOM Enforcer workflows](https://github.com/sbom-enforcer/sbom-enforcer/blob/main/.github/workflows/build.yaml), and it has proven effective in improving build reliability and reproducibility. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
