As an explainer, the cause for the reproducibility check failing looks to be from a difference in umask between Justin's env and those used for previous releases and in turn the Reproducible Central buildspec used to verify the reproducibility.
On previous systems that did the release, a umask of [0]022 was in effect. On Justins, a umask of [0]002 was in effect. When I changed umask to [0]002 I was then able to do a 100% reproduction of the build. I'm not yet clear on why, but for the 3 war files in the build, the permissions on the embedded maven detail files (but none of the actual content files) are influenced by the umask: META-INF/maven/<groupId>/<artifact-id>/pom.xml META-INF/maven/<groupId>/<artifact-id>/pom.properties The war files contents then in turn influence the binary assembly and related checksum files, giving a total of 7 differences in the overall build. None of the 'actual content' differs as such, just the permissions, the metadata for which throws off the overall assembly. The same type of generated files are also embedded in all the jar files, but are not influenced by the differing umasks so the jars all came out the same regardless. We could either proceed and try to update the buildspec at Reproducible Central to compensate (and then need to update it again to switch back in future if we make things consistent). Or we could redeploy the build to make this consistent with prior releases, the binary assembly and sig+checksum would get updated, as would the sig for the source release (embedded timestamp) though not the source archive itself. Thoughts, Justin? On Fri, 18 Oct 2024 at 17:26, Robbie Gemmell <robbie.gemm...@gmail.com> wrote: > > -1, for now at least. > > The deployed convenience binaries failed a reproducibility check, even > though all the sub-content in them ultimately seems to be the same as > in the rebuild. A permissions difference in a few modules (the 3 > console war files) META-INF files seems to be the cause, which in turn > rippled through to the binary assembly archives as a whole. > > I'd like to try some redeployments on Monday to see whether we could > resolve the issue, or at least isolate a reason/env-difference that > prompts it. > > Note -1's are not a veto on releases, and even with my -1 it still > meets the criteria necessary to proceed, i.e can currently still be > released as-is if so desired. > > I checked things over as follows: > - Verified the signature + checksum files. > - Checked for LICENCE + NOTICE files in the archives. > - Checked licence headers in the source archive by running: > "mvn apache-rat:check" > - Ran the Qpid JMS 2.6.1 HelloWorld against a broker from the binary > archive on JDK 17. > - Ran the source build and the AMQP integration tests on JDK 17 with: > "mvn clean install -DskipTests && cd tests/integration-tests/ && mvn > -Ptests -Dtest=org.apache.activemq.artemis.tests.integration.amqp.** > test" > - Verified the build reproducibility using the tooling at Reproducible > Central, which failed as per above. > > Robbie > > On Wed, 16 Oct 2024 at 17:13, Justin Bertram <jbert...@apache.org> wrote: > > > > I would like to propose an Apache ActiveMQ Artemis 2.38.0 release. > > > > Highlights include: > > > > - WebSocket compression is now supported. This compression can be used > > transparently for AMQP, STOMP, or MQTT when communication is over > > WebSockets. > > - The ActiveMQServerMessagePlugin now has a messageMoved() callback. > > - Core bridge configuration now supports client-id which will make it much > > easier to identify bridge connections on remote brokers. > > - The consumer CLI command now supports consuming messages "forever." > > - The authentication & authorization caches now have detailed debug logging. > > - There’s been a handful of updates to broker management including: > > - The documentation has been improved with more examples for Jolokia > > and a new sub-section on management method option syntax. > > - It’s now possible to pass empty "options" to the management methods > > that accept them. > > - The management methods which return paged results can now return all > > the results together by specifying -1 for either the page or the pageSize. > > - The management method option syntax now supports the NOT_EQUALS > > operator for greater flexibility with filtering results of management > > operations. > > - Configuration for diverts created via management can now be done via > > JSON. > > > > The release notes can be found here: > > https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12315920&version=12355013 > > > > Ths git commit report is here: > > https://activemq.apache.org/components/artemis/download/commit-report-2.38.0 > > > > Source and binary distributions can be found here: > > https://dist.apache.org/repos/dist/dev/activemq/activemq-artemis/2.38.0/ > > > > The Maven staging repository is here: > > https://repository.apache.org/content/repositories/orgapacheactivemq-1410 > > > > If you would like to validate the release: > > https://activemq.apache.org/components/artemis/documentation/hacking-guide/#validating-releases > > > > It is tagged in the git repo as <version> > > > > [ ] +1 approve this release > > [ ] +0 no opinion > > [ ] -1 disapprove (and reason why) > > > > Here's my +1 > > > > > > Justin --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org For additional commands, e-mail: dev-h...@activemq.apache.org For further information, visit: https://activemq.apache.org/contact
