You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Kevin Kotas (Jira)" <ji...@apache.org> on 2021/12/15 22:21:00 UTC

[jira] [Created] (LOG4J2-3240) org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/

Kevin Kotas created LOG4J2-3240:
-----------------------------------

             Summary: org.apache.logging.log4 does not match archive.apache.org/dist/logging/log4j/
                 Key: LOG4J2-3240
                 URL: https://issues.apache.org/jira/browse/LOG4J2-3240
             Project: Log4j 2
          Issue Type: Bug
          Components: Core
    Affects Versions: 2.16.0
            Reporter: Kevin Kotas


The releases of Log4j 2 from org.apache.logging.log4j do not match the signed releases from [https://archive.apache.org/dist/logging/log4j/.|https://archive.apache.org/dist/logging/log4j/] Please check build process per Matt Sicker.
 
At [https://search.maven.org/search?q=a:log4j-core]
org.apache.logging.log4j --> 2.16.0 -> download jar
 
$ sha256sum  log4j-core-2.16.0.jar
5d241620b10e3f1475320bc9552cf7bcfa27eeb9b1b6a891449e76db4b4a02a8  log4j-core-2.16.0.jar
 
From [https://www.apache.org/dyn/closer.lua/logging/log4j/2.16.0/apache-log4j-2.16.0-bin.zip]
 
$ sha256sum apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
085e0b34e40533015ba6a73e85933472702654e471c32f276e76cffcf7b13869  apache-log4j-2.16.0-bin/log4j-core-2.16.0.jar
 
$ gpg --verify apache-log4j-2.16.0-bin.zip.asc
gpg: assuming signed data in 'apache-log4j-2.16.0-bin.zip'
gpg: Signature made Mon 13 Dec 2021 12:40:11 AM EST
gpg:                using RSA key 9D0A56AAA0D60E0C0C7DCCC0B4C70893B62BABE8
gpg: Good signature from "Matt Sicker (Apache Software Foundation) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
gpg:                 aka "Matthew Sicker (Signing Key) <[mattsicker@apache.org|mailto:mattsicker@apache.org]>" [unknown]
 
diff also shows that the MANIFEST.MF Bnd-LastModified field is different in log4j-core-2.16.0.jar between the two sources.
 
diff -r 2.16.0-bin/META-INF/MANIFEST.MF log4j-core-2.16.0/META-INF/MANIFEST.MF
5c5
< Bnd-LastModified: 1639373735804
---
> Bnd-LastModified: 1639374077682
 
This difference in META-INF/MANIFEST.MF is also in org.apache.logging.log4j:log4j-core: 2.15.0 



--
This message was sent by Atlassian Jira
(v8.20.1#820001)