Hi Gary,
On 3.02.2025 00:26, Gary Gregory wrote:
Please review the release candidate and vote.
This vote will close no sooner than 72 hours from now.
[ ] +1 Release these artifacts
[ ] +0 OK, but...
[ ] -0 OK, but really should fix...
[ ] -1 I oppose this release because...
The hashes in the SBOMs do not match what is in Maven Central (e.g. the
hash of Commons Code is wrong). Should we continue?
As pointed out by Arnout, we will remove both explicit versions and
hashes from the SBOM in the future, but maybe we should use the correct
data for now?
Piotr
PS: I am not strongly opinionated on this and I know that the only
reason you are getting incorrect hashes for other Commons artifacts is
that you are doing so much work in Commons.
[1] https://github.com/CycloneDX/cyclonedx-maven-plugin/issues/589
