[ https://issues.apache.org/jira/browse/MARTIFACT-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516397#comment-17516397 ]
Herve Boutemy commented on MARTIFACT-31: ---------------------------------------- after deep dive, root cause is that Dependency Check has published a buildinfo generated with maven-artifact-plugin 3.1.0 while rebuilding on Reproducible Central uses maven-artifact-plugin 3.2.0: this releases checks poms that were not checked before, then buildinfo does not have contain same files identifiers... we can't use downloaded reference buildinfo to automatically check against actual buildinfo... > wrong comparison results when buildinfo has been published to Central > --------------------------------------------------------------------- > > Key: MARTIFACT-31 > URL: https://issues.apache.org/jira/browse/MARTIFACT-31 > Project: Maven Artifact Plugin > Issue Type: Bug > Components: artifact:compare > Affects Versions: 3.2.0 > Reporter: Herve Boutemy > Assignee: Herve Boutemy > Priority: Major > Fix For: 3.3.0 > > > trying to rebuild OWASP Dependency Check 6.5.0 on Reproducible Central leads > to many false differences found -- This message was sent by Atlassian Jira (v8.20.1#820001)