> -----Original Message----- > From: Matt Sicker > Sent: Wednesday, December 29, 2021 1:33 PM > > This is something that has been fixed (or will be fixed) in recent versions. > This was caused by one of > the Maven plugins in use outputting the current timestamp when it was run > into the manifest file which > got written for each invocation. New builds use reproducible timestamps > instead generated when the tag > is made.
Looks like it is still not reproducible. $ sha256sum.exe *.jar c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41 *maven-log4j-core-2.17.1.jar 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *tgz-log4j-core-2.17.1.jar 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *zip-log4j-core-2.17.1.jar --- zip/META-INF/MANIFEST.MF 2021-12-27 17:24:58.000000000 -0500 +++ maven/META-INF/MANIFEST.MF 2021-12-27 17:30:42.000000000 -0500 @@ -3,7 +3,7 @@ Bundle-SymbolicName: org.apache.logging.log4j.core Log4jSigningUserName: [email protected] Built-By: matt -Bnd-LastModified: 1640647495926 +Bnd-LastModified: 1640647839891 Implementation-Vendor-Id: org.apache.logging.log4j Specification-Title: Apache Log4j Core Log4jReleaseManager: Matt Sicker > -- > Matt Sicker > > > On Dec 29, 2021, at 11:57, Jason Pyeron <[email protected]> wrote: > > > > We have noticed that many of the jars (almost all) when fetched by maven > > are different from the ones > packaged in the bin.zip which are different from the bin.tar.gz? > > > > > > > > This was observed while trying to identify multiple jars recently > > > > > > > > e.g. log4j-core-2.14.0.jar > > > > 063d95404bb4665a872d44a17710dab85bbb5fcf4eb22e777a6a137b50053235 from > > random software package > > > > 966886853b3b31fe100050d6294e921167ed510a3af6ac97dedc5f49b809a6d0 from > > apache-log4j-2.14.0-bin.tar.gz > > > > f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8 from Maven > > > > 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa from > > apache-log4j-2.14.0-bin.zip > > > > > > > > Thoughts? -- Jason Pyeron | Architect PD Inc | Certified SBA 8(a) 10 w 24th St | Certified SBA HUBZone Baltimore, MD | CAGE Code: 1WVR6 .mil: [email protected] .com: [email protected] tel : 202-741-9397
