This is something that has been fixed (or will be fixed) in recent versions. This was caused by one of the Maven plugins in use outputting the current timestamp when it was run into the manifest file which got written for each invocation. New builds use reproducible timestamps instead generated when the tag is made. -- Matt Sicker
> On Dec 29, 2021, at 11:57, Jason Pyeron <[email protected]> wrote: > > We have noticed that many of the jars (almost all) when fetched by maven are > different from the ones packaged in the bin.zip which are different from the > bin.tar.gz? > > > > This was observed while trying to identify multiple jars recently > > > > e.g. log4j-core-2.14.0.jar > > 063d95404bb4665a872d44a17710dab85bbb5fcf4eb22e777a6a137b50053235 from random > software package > > 966886853b3b31fe100050d6294e921167ed510a3af6ac97dedc5f49b809a6d0 from > apache-log4j-2.14.0-bin.tar.gz > > f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8 from Maven > > 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa from > apache-log4j-2.14.0-bin.zip > > > > Thoughts? > > > > Jason Pyeron | Architect > > PD Inc | Certified SBA 8(a) > > 10 w 24th St | Certified SBA HUBZone > > Baltimore, MD | CAGE Code: 1WVR6 > > > > .mil: <mailto:[email protected]> [email protected] > > .com: <mailto:[email protected]> [email protected] > > tel : 202-741-9397 > > > > >
