You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by "Rayk Bajohr (Jira)" <ji...@apache.org> on 2019/09/17 08:35:00 UTC

[jira] [Created] (LOG4J2-2695) Checksum between release binary archive and maven repo doesn't match

Rayk Bajohr created LOG4J2-2695:
-----------------------------------

             Summary: Checksum between release binary archive and maven repo doesn't match
                 Key: LOG4J2-2695
                 URL: https://issues.apache.org/jira/browse/LOG4J2-2695
             Project: Log4j 2
          Issue Type: Bug
    Affects Versions: 2.12.1
            Reporter: Rayk Bajohr


The jar file checksums in the release binary archive doesn't match the checksums offered by maven central.

As a user I expect that the checksums are identical to ensure that we download trusted binaries via maven central. Maybe we have a misunderstanding, but the idea is to verify the checksums ones to ensure the the binaries aren't manipulated.

Here an example based on the "log4j-api-2.12.1.jar" file.

*Maven Repo*

SHA1 checksum: a55e6d987f50a515c9260b0451b4fa217dc539cb

[https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/2.12.1/log4j-api-2.12.1.jar.sha1]

*Binary Archive Artifact*

SHA1 checksum: f952311a8cab7f8ffda787c1b5216fee9317d2f

 

Downloaded from: [https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.1/apache-log4j-2.12.1-bin.zip]

 



--
This message was sent by Atlassian Jira
(v8.3.2#803003)