Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Hervé, On Fri, 5 Jan 2024 at 08:14, Herve Boutemy wrote: > Piotr found the issue about the second run of bundle plugin and about > moditect 1.1.0 sensitivity to TZ: I don't know how hard it was to learn this, > nor how. > Do you have any idea on how to ease such discovery? The first time we encountered a difference in a zipfile metadata, it was hard. We knew from the binary diff from diffoscope that the difference is in the metadata, but it took us some time to notice that the file listings differed by an executable flag. For the Moditect problem I already knew where to look and I noticed that the timestamps from Gary's official artifacts and mine differed by 6 hours. Since the UNIX `unzip` utility does not support the "Extended Timestamp" I used Commons Compress to list all the extensions in the ZIP entries. In general I think that diffoscope could be improved by: * listing all the extensions of ZIP entries explicitly and in order, * adding some basic properties for each file, e.g. "Java class file, bytecode 52" or "Text file, CRLF line endings". Piotr - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi team, I'm happy to have people like you trying to rebuild and compare: your feedback on your experience is very valuable. Here are a few remarks on this thread: - if you want to rebuild and *compare against a remote repository* (be it a SNAPSHOT or a release), you absolutely need to *avoid "mvn install" first*, because this install step completely dismisses the remote repository a corollary is that you need to check your local repo (~/.m2/repository) and eventually clean it and sadly it's not easy for artifact:compare to detect if the reference file comes from local mvn install or form a download from remote... I need to think more about this: created https://issues.apache.org/jira/browse/MARTIFACT-58 - on the diffoscope output not being easy to analyze to know how to fix issues: can you confirm me that the "artifact:compare" output is ok to read and discover how to run diffoscope? can you confirm that diffoscope output is ok to read, to see the diff (even if you don't know yet how to fix the build to avoid that difference)? on going from diff reading step to instructions on how to fix: given the very diverse nature of issues that can lead to the difference, I don't see how to make analysis easier than pure reader's experience Piotr found the issue about the second run of bundle plugin and about moditect 1.1.0 sensitivity to TZ: I don't know how hard it was to learn this, nor how. Do you have any idea on how to ease such discovery? Any other feedback appreciated Regards, Hervé On 2023/12/29 18:33:29 Gary Gregory wrote: > TY Piotr! > > Putting your pieces together for a local Commons Compress, this works for me: > > export TZ=UTC > mvn clean install > mvn clean package artifact:compare \ > -Dreference.repo=apache.snapshots \ > -DskipTests \ > -Dcommons.spdx.version=0.7.1 -Dspdx.skip > > Gary > > On Fri, Dec 29, 2023 at 12:44 PM Piotr P. Karwasz > wrote: > > > > Hi Gary, > > > > On Fri, 29 Dec 2023 at 15:11, Gary Gregory wrote: > > > I run, copied from the > > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec: > > > > > > mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip > > > -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun > > > -Dcommons.release.isDistModule=false > > > > > > Then: > > > > > > mvn package package artifact:compare > > > > Maven has a short guide to check reproducibility: > > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > > > If you want to check a local artifact vs a previous local artifact you > > need to use: > > > > mvn clean install > > mvn clean package artifact:compare -DskipTests > > > > The first run install the artifact into the local Maven repo, the > > second one generates new ones and compares them with those installed. > > > > To check local vs remote you just need the second part. I am able to > > reproduce the current Commons Compress snapshot with: > > > > export TZ=UTC > > export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 > > mvn clean package artifact:compare \ > > -Dreference.repo=apache.snapshots \ > > -DskipTests \ > > -Dcommons.spdx.version=0.7.1 -Dspdx.skip > > > > I have no idea how those snapshots are generated, but they match my > > local ones. The last line bumps the SPDX Maven Plugin to a version > > that supports `-Dspdx.skip` ;-) > > > > Piotr > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > > For additional commands, e-mail: dev-h...@commons.apache.org > > > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
TY Piotr! Putting your pieces together for a local Commons Compress, this works for me: export TZ=UTC mvn clean install mvn clean package artifact:compare \ -Dreference.repo=apache.snapshots \ -DskipTests \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip Gary On Fri, Dec 29, 2023 at 12:44 PM Piotr P. Karwasz wrote: > > Hi Gary, > > On Fri, 29 Dec 2023 at 15:11, Gary Gregory wrote: > > I run, copied from the > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec: > > > > mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip > > -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun > > -Dcommons.release.isDistModule=false > > > > Then: > > > > mvn package package artifact:compare > > Maven has a short guide to check reproducibility: > https://maven.apache.org/guides/mini/guide-reproducible-builds.html > > If you want to check a local artifact vs a previous local artifact you > need to use: > > mvn clean install > mvn clean package artifact:compare -DskipTests > > The first run install the artifact into the local Maven repo, the > second one generates new ones and compares them with those installed. > > To check local vs remote you just need the second part. I am able to > reproduce the current Commons Compress snapshot with: > > export TZ=UTC > export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 > mvn clean package artifact:compare \ > -Dreference.repo=apache.snapshots \ > -DskipTests \ > -Dcommons.spdx.version=0.7.1 -Dspdx.skip > > I have no idea how those snapshots are generated, but they match my > local ones. The last line bumps the SPDX Maven Plugin to a version > that supports `-Dspdx.skip` ;-) > > Piotr > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Gary, On Fri, 29 Dec 2023 at 15:11, Gary Gregory wrote: > I run, copied from the > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec: > > mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip > -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun > -Dcommons.release.isDistModule=false > > Then: > > mvn package package artifact:compare Maven has a short guide to check reproducibility: https://maven.apache.org/guides/mini/guide-reproducible-builds.html If you want to check a local artifact vs a previous local artifact you need to use: mvn clean install mvn clean package artifact:compare -DskipTests The first run install the artifact into the local Maven repo, the second one generates new ones and compares them with those installed. To check local vs remote you just need the second part. I am able to reproduce the current Commons Compress snapshot with: export TZ=UTC export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64 mvn clean package artifact:compare \ -Dreference.repo=apache.snapshots \ -DskipTests \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip I have no idea how those snapshots are generated, but they match my local ones. The last line bumps the SPDX Maven Plugin to a version that supports `-Dspdx.skip` ;-) Piotr - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
I run, copied from the https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec: mvn -Prelease clean package package -DskipTests -Dmaven.javadoc.skip -Dgpg.skip -Dcyclonedx.skip -Dcommons.release.dryRun -Dcommons.release.isDistModule=false Then: mvn package package artifact:compare Which gives me: [INFO] --- artifact:3.5.0:compare (default-cli) @ commons-compress --- [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit rebuilders reproducible source checkout [INFO] Saved info on build to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildinfo [INFO] Checking against reference build from central... [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /Users/garydgregory/git/commons-compress/target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT-tests.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT-tests.jar target/commons-compress-1.25.1-SNAPSHOT-tests.jar [ERROR] sha512 mismatch commons-compress-1.25.1-SNAPSHOT.spdx.json: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.spdx.json target/site/org.apache.commons_commons-compress-1.25.1-SNAPSHOT.spdx.json [ERROR] Reproducible Build output summary: 5 files ok, 3 different [ERROR] see diff target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo target/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html [INFO] Reproducible Build output comparison saved to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildcompare [INFO] [INFO] BUILD FAILURE [INFO] ? TY, Gary On Fri, Dec 29, 2023 at 8:50 AM Piotr P. Karwasz wrote: > > Hi Gary, > > On Fri, 29 Dec 2023 at 13:37, Gary Gregory wrote: > > I do appreciate the fact that I can ask "Am I reproducible" but the > > output is... cryptic. > > Yes, unfortunately if the check fails, finding the reason of the > failure is hard. > > > For example: > > ... > > ├── META-INF/MANIFEST.MF > > │ @@ -65,11 +65,12 @@ > > │ b.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.cryp > > │ to.spec;resolution:=optional,org.apache.commons.codec.digest,org.apache > > │ .commons.io,org.apache.commons.io.file.attribute,org.apache.commons.io. > > │ input,org.apache.commons.io.output,org.apache.commons.commons-codec;res > > │ olution:=optional,org.apache.commons.commons-io;resolution:=optional > > │ Include-Resource: META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=N > > │ OTICE.txt > > │ +Originally-Created-By: Apache Maven Bundle Plugin 5.1.9 > > │ Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" > > │ Tool: Bnd-6.4.1.202306080939 > > │ Multi-Release: true > > You have a difference in the MANIFEST.MF that consists of an > additional "Originally-Created-By" header. > > Hervé already solved this mystery and you can find the Maven command > line required here: > > https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec > > The reproducibility problem is caused by multiple executions of the > Apache Maven Bundle Plugin. If you start with an empty `target` > directory: > > * the first execution creates a MANIFEST.MF file, notably a > "Created-By" header, > * the second execution reads the MANIFEST.MF file, changes it and > renames the "Created-By" header from the first execution into > "Originally-Created-By". > > TL;DR: Running `mvn package package artifact:compare` solves the problem. > > Piotr > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Gary, On Fri, 29 Dec 2023 at 13:37, Gary Gregory wrote: > I do appreciate the fact that I can ask "Am I reproducible" but the > output is... cryptic. Yes, unfortunately if the check fails, finding the reason of the failure is hard. > For example: > ... > ├── META-INF/MANIFEST.MF > │ @@ -65,11 +65,12 @@ > │ b.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.cryp > │ to.spec;resolution:=optional,org.apache.commons.codec.digest,org.apache > │ .commons.io,org.apache.commons.io.file.attribute,org.apache.commons.io. > │ input,org.apache.commons.io.output,org.apache.commons.commons-codec;res > │ olution:=optional,org.apache.commons.commons-io;resolution:=optional > │ Include-Resource: META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=N > │ OTICE.txt > │ +Originally-Created-By: Apache Maven Bundle Plugin 5.1.9 > │ Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" > │ Tool: Bnd-6.4.1.202306080939 > │ Multi-Release: true You have a difference in the MANIFEST.MF that consists of an additional "Originally-Created-By" header. Hervé already solved this mystery and you can find the Maven command line required here: https://github.com/jvm-repo-rebuild/reproducible-central/blob/master/content/org/apache/commons/compress/commons-compress-1.25.0.buildspec The reproducibility problem is caused by multiple executions of the Apache Maven Bundle Plugin. If you start with an empty `target` directory: * the first execution creates a MANIFEST.MF file, notably a "Created-By" header, * the second execution reads the MANIFEST.MF file, changes it and renames the "Created-By" header from the first execution into "Originally-Created-By". TL;DR: Running `mvn package package artifact:compare` solves the problem. Piotr - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Piotr and all, Thank you for the refresher :-) I do appreciate the fact that I can ask "Am I reproducible" but the output is... cryptic. For example: git clone https://gitbox.apache.org/repos/asf/commons-compress.git cd commons-compress mvn clean install -DskipTests mvn package artifact:compare \ -DskipTests \ -Dcyclonedx.skip \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip Tells me: [INFO] --- artifact:3.5.0:compare (default-cli) @ commons-compress --- [WARNING] SCM source tag in buildinfo source.scm.tag=HEAD does not permit rebuilders reproducible source checkout [INFO] Saved info on build to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildinfo [INFO] Checking against reference build from central... [INFO] Reference buildinfo file not found: it will be generated from downloaded reference artifacts [INFO] Reference build java.version: 17 (from MANIFEST.MF Build-Jdk-Spec) [INFO] Reference build os.name: Unix (from pom.properties newline) [INFO] Minimal buildinfo generated from downloaded artifacts: /Users/garydgregory/git/commons-compress/target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] size mismatch commons-compress-1.25.1-SNAPSHOT.jar: investigate with diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar [ERROR] Reproducible Build output summary: 4 files ok, 1 different [ERROR] see diff target/reference/commons-compress-1.25.1-SNAPSHOT.buildinfo target/commons-compress-1.25.1-SNAPSHOT.buildinfo [ERROR] see also https://maven.apache.org/guides/mini/guide-reproducible-builds.html [INFO] Reproducible Build output comparison saved to /Users/garydgregory/git/commons-compress/target/commons-compress-1.25.1-SNAPSHOT.buildcompare [INFO] [INFO] BUILD FAILURE [INFO] and then: diffoscope target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar target/commons-compress-1.25.1-SNAPSHOT.jar --- target/reference/org.apache.commons/commons-compress-1.25.1-SNAPSHOT.jar +++ target/commons-compress-1.25.1-SNAPSHOT.jar ├── zipinfo {} │ @@ -1,9 +1,9 @@ │ -Zip file size: 1058930 bytes, number of entries: 620 │ -?rw-r--r-- 2.0 unx 4615 bX defN 24-Jan-01 00:00 META-INF/MANIFEST.MF │ +Zip file size: 1058940 bytes, number of entries: 620 │ +?rw-r--r-- 2.0 unx 4672 bX defN 24-Jan-01 00:00 META-INF/MANIFEST.MF │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 META-INF/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/apache/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/apache/commons/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/archivers/ │ ?rwxr-xr-x 1.0 unx0 bx stor 24-Jan-01 00:00 org/apache/commons/compress/archivers/ar/ │ @@ -615,8 +615,8 @@ │ ?rw-r--r-- 2.0 unx 3009 bx defN 24-Jan-01 00:00 org/apache/commons/compress/utils/TimeUtils.class │ ?rw-r--r-- 2.0 unx 139 bx defN 24-Jan-01 00:00 org/apache/commons/compress/utils/package-info.class │ ?rw-r--r-- 2.0 unx21657 bx defN 24-Jan-01 00:00 META-INF/maven/org.apache.commons/commons-compress/pom.xml │ ?rw-r--r-- 2.0 unx 79 bx defN 24-Jan-01 00:00 META-INF/maven/org.apache.commons/commons-compress/pom.properties │ -rw 1.0 fat0 bx stor 24-Jan-01 00:00 META-INF/versions/ │ -rw 1.0 fat0 bx stor 24-Jan-01 00:00 META-INF/versions/9/ │ -rw 2.0 fat 2495 bX defN 24-Jan-01 00:00 META-INF/versions/9/module-info.class │ -620 files, 2115694 bytes uncompressed, 921522 bytes compressed: 56.5% │ +620 files, 2115751 bytes uncompressed, 921532 bytes compressed: 56.5% ├── META-INF/MANIFEST.MF │ @@ -65,11 +65,12 @@ │ b.asm;resolution:=optional,javax.crypto;resolution:=optional,javax.cryp │ to.spec;resolution:=optional,org.apache.commons.codec.digest,org.apache │ .commons.io,org.apache.commons.io.file.attribute,org.apache.commons.io. │ input,org.apache.commons.io.output,org.apache.commons.commons-codec;res │ olution:=optional,org.apache.commons.commons-io;resolution:=optional │ Include-Resource: META-INF/LICENSE.txt=LICENSE.txt,META-INF/NOTICE.txt=N │ OTICE.txt │ +Originally-Created-By: Apache Maven Bundle Plugin 5.1.9 │ Require-Capability: osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.8))" │ Tool: Bnd-6.4.1.202306080939 │ Multi-Release: true Hm.. now what? Gary On Thu, Dec 28, 2023 at 11:10 AM Piotr P. Karwasz wrote: > > Hi Gary, > > On Thu, 28 Dec 2023 at 16:03, Gary Gregory wrote: > > What value for $NEXUS_REPO would one use to verify repro _after_ a > > release? I want to experiment with Apache Commons components... > > The `reference.repo` system variable is us
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Gary, On Thu, 28 Dec 2023 at 16:03, Gary Gregory wrote: > What value for $NEXUS_REPO would one use to verify repro _after_ a > release? I want to experiment with Apache Commons components... The `reference.repo` system variable is used by the `referenceRepo` parameter of `artifact:compare`: https://maven.apache.org/plugins/maven-artifact-plugin/compare-mojo.html with a default value of `central`, so you can skip setting the parameter. I can reproduce most of the artifacts in your latest Commons Fileupload release with this incantation: export TZ=UTC export JAVA_HOME=...path to JDK 17... mvn package artifact:compare \ -DskipTests \ -Dcyclonedx.skip \ -Dcommons.spdx.version=0.7.1 -Dspdx.skip The Maven Artifact Plugin only compares those artifacts, which are attached to the current build, so skipping CycloneDX and SPDX generation effectively prevents performing a reproducibility check on those artifacts. This is not ideal, but: * SPDX has a lot of reproducibility problems, * CycloneDX is usually reproducible, but I am probably affected by issue#410 [2], * we actually only care about the binary artifacts and POMs, the rest is a bonus. Piotr [1] https://github.com/jvm-repo-rebuild/reproducible-central [2] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/410 PS: We are mixing threads from multiple lists. For those following dev@commons, NEXUS_REPO is a reference to this thread from dev@logging: https://lists.apache.org/thread/163ow0knp5q29hrsh1doqm3jwxkrzwoo - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Re: Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi Piotr, What value for $NEXUS_REPO would one use to verify repro _after_ a release? I want to experiment with Apache Commons components... Gary On Sat, Dec 16, 2023 at 6:56 PM Piotr P. Karwasz wrote: > > Hi all, > > On Mon, 27 Nov 2023 at 00:15, Piotr P. Karwasz > wrote: > > 2. For some strange reason I had to set `TZ=America/New_York` to make > > the main JAR reproducible. Either the Moditect or the Maven JAR plugin > > are responsible for that. > > The recent Commons artifacts are hard to reproduce, since one of the > environment variables required by reproducibility is the timezone of > the system that generated the artifacts. > > The problem is due to the Moditect plugin issue#222. > > Until this problem is resolved, could you provide you timezone in the > vote e-mails? > > Piotr > > [1] https://github.com/moditect/moditect/issues/222 > > - > To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org > For additional commands, e-mail: dev-h...@commons.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org
Reproducibility of Commons artifacts was: [VOTE] Release Apache Commons Logging 1.3.0 based on RC1
Hi all, On Mon, 27 Nov 2023 at 00:15, Piotr P. Karwasz wrote: > 2. For some strange reason I had to set `TZ=America/New_York` to make > the main JAR reproducible. Either the Moditect or the Maven JAR plugin > are responsible for that. The recent Commons artifacts are hard to reproduce, since one of the environment variables required by reproducibility is the timezone of the system that generated the artifacts. The problem is due to the Moditect plugin issue#222. Until this problem is resolved, could you provide you timezone in the vote e-mails? Piotr [1] https://github.com/moditect/moditect/issues/222 - To unsubscribe, e-mail: dev-unsubscr...@commons.apache.org For additional commands, e-mail: dev-h...@commons.apache.org