[
https://issues.apache.org/jira/browse/MARTIFACT-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17516397#comment-17516397
]
Herve Boutemy commented on MARTIFACT-31:
after deep dive, root cause is that Dependency Check has published a buildinfo
generated with maven-artifact-plugin 3.1.0
while rebuilding on Reproducible Central uses maven-artifact-plugin 3.2.0: this
releases checks poms that were not checked before, then buildinfo does not have
contain same files identifiers...
we can't use downloaded reference buildinfo to automatically check against
actual buildinfo...
> wrong comparison results when buildinfo has been published to Central
> -
>
> Key: MARTIFACT-31
> URL: https://issues.apache.org/jira/browse/MARTIFACT-31
> Project: Maven Artifact Plugin
> Issue Type: Bug
> Components: artifact:compare
>Affects Versions: 3.2.0
>Reporter: Herve Boutemy
>Assignee: Herve Boutemy
>Priority: Major
> Fix For: 3.3.0
>
>
> trying to rebuild OWASP Dependency Check 6.5.0 on Reproducible Central leads
> to many false differences found
--
This message was sent by Atlassian Jira
(v8.20.1#820001)