You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@logging.apache.org by Jason Pyeron <jp...@pdinc.us> on 2022/01/13 08:58:34 UTC
RE: Maven published jars not matching jars downloaded from apache.org?
> -----Original Message-----
> From: Matt Sicker
> Sent: Wednesday, December 29, 2021 1:33 PM
>
> This is something that has been fixed (or will be fixed) in recent versions. This was caused by one of
> the Maven plugins in use outputting the current timestamp when it was run into the manifest file which
> got written for each invocation. New builds use reproducible timestamps instead generated when the tag
> is made.
Looks like it is still not reproducible.
$ sha256sum.exe *.jar
c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41 *maven-log4j-core-2.17.1.jar
7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *tgz-log4j-core-2.17.1.jar
7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *zip-log4j-core-2.17.1.jar
--- zip/META-INF/MANIFEST.MF 2021-12-27 17:24:58.000000000 -0500
+++ maven/META-INF/MANIFEST.MF 2021-12-27 17:30:42.000000000 -0500
@@ -3,7 +3,7 @@
Bundle-SymbolicName: org.apache.logging.log4j.core
Log4jSigningUserName: mattsicker@apache.org
Built-By: matt
-Bnd-LastModified: 1640647495926
+Bnd-LastModified: 1640647839891
Implementation-Vendor-Id: org.apache.logging.log4j
Specification-Title: Apache Log4j Core
Log4jReleaseManager: Matt Sicker
> --
> Matt Sicker
>
> > On Dec 29, 2021, at 11:57, Jason Pyeron <jp...@pdinc.us> wrote:
> >
> > We have noticed that many of the jars (almost all) when fetched by maven are different from the ones
> packaged in the bin.zip which are different from the bin.tar.gz?
> >
> >
> >
> > This was observed while trying to identify multiple jars recently
> >
> >
> >
> > e.g. log4j-core-2.14.0.jar
> >
> > 063d95404bb4665a872d44a17710dab85bbb5fcf4eb22e777a6a137b50053235 from random software package
> >
> > 966886853b3b31fe100050d6294e921167ed510a3af6ac97dedc5f49b809a6d0 from apache-log4j-2.14.0-bin.tar.gz
> >
> > f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8 from Maven
> >
> > 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa from apache-log4j-2.14.0-bin.zip
> >
> >
> >
> > Thoughts?
--
Jason Pyeron | Architect
PD Inc | Certified SBA 8(a)
10 w 24th St | Certified SBA HUBZone
Baltimore, MD | CAGE Code: 1WVR6
.mil: jason.j.pyeron.ctr@mail.mil
.com: jpyeron@pdinc.us
tel : 202-741-9397
Re: Maven published jars not matching jars downloaded from apache.org?
Posted by Matt Sicker <bo...@gmail.com>.
I don't think we've upgraded the parent pom yet, so we still didn't
have reproducible builds enabled at that time.
On Thu, Jan 13, 2022 at 2:59 AM Jason Pyeron <jp...@pdinc.us> wrote:
>
> > -----Original Message-----
> > From: Matt Sicker
> > Sent: Wednesday, December 29, 2021 1:33 PM
> >
> > This is something that has been fixed (or will be fixed) in recent versions. This was caused by one of
> > the Maven plugins in use outputting the current timestamp when it was run into the manifest file which
> > got written for each invocation. New builds use reproducible timestamps instead generated when the tag
> > is made.
>
> Looks like it is still not reproducible.
>
> $ sha256sum.exe *.jar
> c967f223487980b9364e94a7c7f9a8a01fd3ee7c19bdbf0b0f9f8cb8511f3d41 *maven-log4j-core-2.17.1.jar
> 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *tgz-log4j-core-2.17.1.jar
> 7e9ee383f6c730557c133bb7a840b7a4225c14e786d543aeae079b3173b58017 *zip-log4j-core-2.17.1.jar
>
> --- zip/META-INF/MANIFEST.MF 2021-12-27 17:24:58.000000000 -0500
> +++ maven/META-INF/MANIFEST.MF 2021-12-27 17:30:42.000000000 -0500
> @@ -3,7 +3,7 @@
> Bundle-SymbolicName: org.apache.logging.log4j.core
> Log4jSigningUserName: mattsicker@apache.org
> Built-By: matt
> -Bnd-LastModified: 1640647495926
> +Bnd-LastModified: 1640647839891
> Implementation-Vendor-Id: org.apache.logging.log4j
> Specification-Title: Apache Log4j Core
> Log4jReleaseManager: Matt Sicker
>
>
> > --
> > Matt Sicker
> >
> > > On Dec 29, 2021, at 11:57, Jason Pyeron <jp...@pdinc.us> wrote:
> > >
> > > We have noticed that many of the jars (almost all) when fetched by maven are different from the ones
> > packaged in the bin.zip which are different from the bin.tar.gz?
> > >
> > >
> > >
> > > This was observed while trying to identify multiple jars recently
> > >
> > >
> > >
> > > e.g. log4j-core-2.14.0.jar
> > >
> > > 063d95404bb4665a872d44a17710dab85bbb5fcf4eb22e777a6a137b50053235 from random software package
> > >
> > > 966886853b3b31fe100050d6294e921167ed510a3af6ac97dedc5f49b809a6d0 from apache-log4j-2.14.0-bin.tar.gz
> > >
> > > f04ee9c0ac417471d9127b5880b96c3147249f20674a8dbb88e9949d855382a8 from Maven
> > >
> > > 68d793940c28ddff6670be703690dfdf9e77315970c42c4af40ca7261a8570fa from apache-log4j-2.14.0-bin.zip
> > >
> > >
> > >
> > > Thoughts?
>
>
> --
> Jason Pyeron | Architect
> PD Inc | Certified SBA 8(a)
> 10 w 24th St | Certified SBA HUBZone
> Baltimore, MD | CAGE Code: 1WVR6
>
> .mil: jason.j.pyeron.ctr@mail.mil
> .com: jpyeron@pdinc.us
> tel : 202-741-9397
>
>