ppkarwasz commented on issue #3804: URL: https://github.com/apache/logging-log4j2/issues/3804#issuecomment-3198079992
Hi @ramanathan1504, Thanks for taking this on! To help guide your investigation, I’ve already summarized the known variations in https://github.com/jvm-repo-rebuild/reproducible-central/pull/3119#issuecomment-3064758773. Two of the three issues (those linked to the Gradle Module Metadata Maven Plugin) should already be resolved with the plugin’s latest version. That leaves one remaining issue that still needs explanation: > * The aggregate SBOM file (`log4j-bom-2.25.1-cyclonedx.xml`) occasionally reorders the `JSpecify` dependency, shifting it between two positions. I noticed this also occurred in `2.25.0`, as you had already flagged. I'm not yet sure what causes this nondeterminism—I plan to investigate and will report back once I understand the root cause. While it’s technically possible the CycloneDX Maven Plugin itself is responsible, that seems unlikely: its maintainer, @hboutemy, is a leading expert in Java reproducibility. A more probable explanation is that the nondeterminism originates in Maven internals (e.g., the `DependencyCollectorBuilder`, which the plugin depends on). One concrete step you could try is downgrading Maven to see if the issue persists. That should help determine whether the problem is tied to a specific Maven version. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@logging.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
