Here is the list of modules that are failing the validation in my local setup:
https://gist.github.com/porcelli/4039a3fb30a1b57c18c81bfcd45a39b0 On Thu, Jun 20, 2024 at 8:52 AM Mario Fusco <[email protected]> wrote: > > Thanks for checking this Toshiya, I will take over and give a look. > > Mario > > On 2024/06/20 10:07:28 Toshiya Kobayashi wrote: > > On my local machine, `mvn clean verify artifact:compare` results in: > > ``` > > [INFO] --- artifact:3.4.1:compare (default-cli) @ drools-core --- > > [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit > > rebuilders reproducible source checkout > > [INFO] Reference buildinfo file not found: it will be generated from > > downloaded reference artifacts > > [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) > > [INFO] Reference build os.name: Unix (from pom.properties newline) > > [INFO] Minimal buildinfo generated from downloaded artifacts: > > /home/tkobayas/usr/work/reproducible/drools/drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo > > [ERROR] size mismatch drools-core-999-SNAPSHOT-tests.jar: investigate with > > diffoscope drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > > drools-core/target/drools-core-999-SNAPSHOT-tests.jar > > [ERROR] Reproducible Build output summary: 4 files ok, 1 different > > [ERROR] see diff > > drools-core/target/reference/drools-core-999-SNAPSHOT.buildinfo > > drools-core/target/drools-core-999-SNAPSHOT.buildinfo > > [ERROR] see also > > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > [INFO] Reproducible Build output comparison saved to > > /home/tkobayas/usr/work/reproducible/drools/drools-core/target/drools-core-999-SNAPSHOT.buildcompare > > [INFO] Aggregate buildcompare copied to > > /home/tkobayas/usr/work/reproducible/drools/target/drools-parent-999-SNAPSHOT.buildcompare > > ``` > > > > diffoscope output: > > ``` > > $ diffoscope > > drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > > drools-core/target/drools-core-999-SNAPSHOT-tests.jar > > --- drools-core/target/reference/drools-core-999-SNAPSHOT-tests.jar > > +++ drools-core/target/drools-core-999-SNAPSHOT-tests.jar > > ├── zipinfo {} > > │ @@ -1,8 +1,8 @@ > > │ -Zip file size: 232564 bytes, number of entries: 220 > > │ +Zip file size: 233299 bytes, number of entries: 221 > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 META-INF/ > > │ -rw-r--r-- 2.0 unx 505 b- defN 24-Jan-12 00:00 META-INF/MANIFEST.MF > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/ > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/drools/ > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 org/drools/core/ > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 > > org/drools/core/base/ > > │ drwxr-xr-x 2.0 unx 0 b- stor 24-Jan-12 00:00 > > org/drools/core/base/accumulators/ > > │ @@ -188,14 +188,15 @@ > > │ -rw-r--r-- 2.0 unx 435 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestAbstract.class > > │ -rw-r--r-- 2.0 unx 450 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestAbstractImpl.class > > │ -rw-r--r-- 2.0 unx 1547 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestBean.class > > │ -rw-r--r-- 2.0 unx 205 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestInterface.class > > │ -rw-r--r-- 2.0 unx 556 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestInterfaceImpl.class > > │ -rw-r--r-- 2.0 unx 1910 b- defN 24-Jan-12 00:00 > > org/drools/core/util/asm/TestObject.class > > │ -rwxr-xr-x 2.0 unx 644 b- defN 24-Jan-12 00:00 > > org/drools/core/util/droolsClient.keystore > > │ +-rw-r--r-- 2.0 unx 624 b- defN 24-Jan-12 00:00 > > org/drools/core/util/droolsServer.jceks > > │ -rwxr-xr-x 2.0 unx 1350 b- defN 24-Jan-12 00:00 > > org/drools/core/util/droolsServer.keystore > > │ -rw-r--r-- 2.0 unx 865 b- defN 24-Jan-12 00:00 > > org/drools/core/util/engine.policy > > │ -rw-r--r-- 2.0 unx 5312 b- defN 24-Jan-12 00:00 > > org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class > > │ -rw-r--r-- 2.0 unx 3293 b- defN 24-Jan-12 00:00 > > org/drools/core/util/index/IndexUtilTest$FakeReadAccessor.class > > │ -rw-r--r-- 2.0 unx 7673 b- defN 24-Jan-12 00:00 > > org/drools/core/util/index/IndexUtilTest.class > > │ -rw-r--r-- 2.0 unx 3443 b- defN 24-Jan-12 00:00 > > org/drools/core/util/index/RangeIndexTest.class > > │ -rw-r--r-- 2.0 unx 1012 b- defN 24-Jan-12 00:00 > > org/drools/core/util/kie.policy > > │ @@ -215,8 +216,8 @@ > > │ -rw-r--r-- 2.0 unx 21806 b- defN 24-Jan-12 00:00 pkg/mortgages.pkg > > │ -rw-r--r-- 2.0 unx 1799 b- defN 24-Jan-12 00:00 > > rule-agent-config.properties > > │ -rw-r--r-- 2.0 unx 2209 b- defN 24-Jan-12 00:00 > > rule-base-rule-agent-config.properties > > │ -rw-r--r-- 2.0 unx 893 b- defN 24-Jan-12 00:00 > > sample-agent-config.properties > > │ -rw-r--r-- 2.0 unx 31057 b- defN 24-Jan-12 00:00 waltz12.dat > > │ -rw-r--r-- 2.0 unx 8039 b- defN 24-Jan-12 00:00 > > META-INF/maven/org.drools/drools-core/pom.xml > > │ -rw-r--r-- 2.0 unx 63 b- defN 24-Jan-12 00:00 > > META-INF/maven/org.drools/drools-core/pom.properties > > │ -220 files, 560891 bytes uncompressed, 196398 bytes compressed: 65.0% > > │ +221 files, 561515 bytes uncompressed, 196979 bytes compressed: 64.9% > > ├── zipnote «TEMP»/diffoscope_e6bcvig3_target/tmpceiwpf7e_.zip > > │ @@ -573,14 +573,17 @@ > > │ > > │ Filename: org/drools/core/util/asm/TestObject.class > > │ Comment: > > │ > > │ Filename: org/drools/core/util/droolsClient.keystore > > │ Comment: > > │ > > │ +Filename: org/drools/core/util/droolsServer.jceks > > │ +Comment: > > │ + > > │ Filename: org/drools/core/util/droolsServer.keystore > > │ Comment: > > │ > > │ Filename: org/drools/core/util/engine.policy > > │ Comment: > > │ > > │ Filename: > > org/drools/core/util/index/IndexUtilTest$FakeBetaNodeFieldConstraint.class > > > > ``` > > > > `droolsServer.jceks` seems to be the problem. Sorry that I'll be off until > > next Tuesday. I may occupationally investigate it, but it would be great if > > someone can fix it. > > > > Cheers, > > Toshiya > > > > On Thu, Jun 20, 2024 at 12:20 AM Alex Porcelli <[email protected]> wrote: > > > > > Just tried at the drools repo and it failed in the reproducible build > > > when I run `mvn clean verify artifact:compare` :( > > > > > > On Fri, Jun 14, 2024 at 12:08 PM Jan Šťastný <[email protected]> > > > wrote: > > > > > > > > Hello all, > > > > > > > > In discussion with security team I've been asked to provide answers to > > > > following questions on how we fullfil security requirements that go with > > > > the automated GPG signing in ci environment: > > > > > > > > https://infra.apache.org/release-signing.html#automated-release-signing > > > > requires that the build is binary reproducible and that "The release > > > > procedure contains a validation step where all artifacts are reproduced > > > on > > > > trusted hardware ( > > > > > > > https://www.apache.org/legal/release-policy.html#owned-controlled-hardware > > > ) > > > > before publication to pages intended for end users" > > > > > > > > I'd like to ask everyone for assistance, especially in confirming that > > > our > > > > builds are reproducible , but also help me to interpret the trusted > > > > hardware request. > > > > > > > > More I think about this the more I tend to think we will be asked to > > > > provide some documentation of how we release as a reference. > > > > > > > > Regards > > > > Jan > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [email protected] > > > For additional commands, e-mail: [email protected] > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
