I don't think we've upgraded the parent pom yet, so we still didn't have reproducible builds enabled at that time.
On Thu, Jan 13, 2022 at 2:59 AM Jason Pyeron <[email protected]> wrote: > > > -----Original Message----- > > From: Matt Sicker > > Sent: Wednesday, December 29, 2021 1:33 PM > > > > This is something that has been fixed (or will be fixed) in recent > > versions. This was caused by one of > > the Maven plugins in use outputting the current timestamp when it was run > > into the manifest file which > > got written for each invocation. New builds use reproducible timestamps > > instead generated when the tag > > is made. > > Looks like it is still not reproducible. > > $ sha256sum.exe *.jar > c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41 > *maven-log4j-core-2.17.1.jar > 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 > *tgz-log4j-core-2.17.1.jar > 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 > *zip-log4j-core-2.17.1.jar > > --- zip/META-INF/MANIFEST.MF 2021-12-27 17:24:58.000000000 -0500 > +++ maven/META-INF/MANIFEST.MF 2021-12-27 17:30:42.000000000 -0500 > @@ -3,7 +3,7 @@ > Bundle-SymbolicName: org.apache.logging.log4j.core > Log4jSigningUserName: [email protected] > Built-By: matt > -Bnd-LastModified: 1640647495926 > +Bnd-LastModified: 1640647839891 > Implementation-Vendor-Id: org.apache.logging.log4j > Specification-Title: Apache Log4j Core > Log4jReleaseManager: Matt Sicker > > > > -- > > Matt Sicker > > > > > On Dec 29, 2021, at 11:57, Jason Pyeron <[email protected]> wrote: > > > > > > We have noticed that many of the jars (almost all) when fetched by maven > > > are different from the ones > > packaged in the bin.zip which are different from the bin.tar.gz? > > > > > > > > > > > > This was observed while trying to identify multiple jars recently > > > > > > > > > > > > e.g. log4j-core-2.14.0.jar > > > > > > 063d95404bb4665a872d44a17710dab85bbb5fcf4eb22e777a6a137b50053235 from > > > random software package > > > > > > 966886853b3b31fe100050d6294e921167ed510a3af6ac97dedc5f49b809a6d0 from > > > apache-log4j-2.14.0-bin.tar.gz > > > > > > f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8 from > > > Maven > > > > > > 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa from > > > apache-log4j-2.14.0-bin.zip > > > > > > > > > > > > Thoughts? > > > -- > Jason Pyeron | Architect > PD Inc | Certified SBA 8(a) > 10 w 24th St | Certified SBA HUBZone > Baltimore, MD | CAGE Code: 1WVR6 > > .mil: [email protected] > .com: [email protected] > tel : 202-741-9397 > >
