You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@maven.apache.org by "Herve Boutemy (Jira)" <ji...@apache.org> on 2022/04/02 21:24:00 UTC

[jira] [Commented] (MARTIFACT-31) wrong comparison results when buildinfo has been published to Central

    [ https://issues.apache.org/jira/browse/MARTIFACT-31?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17516397#comment-17516397 ] 

Herve Boutemy commented on MARTIFACT-31:
----------------------------------------

after deep dive, root cause is that Dependency Check has published a buildinfo generated with maven-artifact-plugin 3.1.0
while rebuilding on Reproducible Central uses maven-artifact-plugin 3.2.0: this releases checks poms that were not checked before, then buildinfo does not have contain same files identifiers...

we can't use downloaded reference buildinfo to automatically check against actual buildinfo...

> wrong comparison results when buildinfo has been published to Central
> ---------------------------------------------------------------------
>
>                 Key: MARTIFACT-31
>                 URL: https://issues.apache.org/jira/browse/MARTIFACT-31
>             Project: Maven Artifact Plugin
>          Issue Type: Bug
>          Components: artifact:compare
>    Affects Versions: 3.2.0
>            Reporter: Herve Boutemy
>            Assignee: Herve Boutemy
>            Priority: Major
>             Fix For: 3.3.0
>
>
> trying to rebuild OWASP Dependency Check 6.5.0 on Reproducible Central leads to many false differences found



--
This message was sent by Atlassian Jira
(v8.20.1#820001)