You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Rayk Bajohr (Jira)" <ji...@apache.org> on 2019/09/17 08:35:00 UTC
[jira] [Created] (LOG4J2-2695) Checksum between release binary
archive and maven repo doesn't match
Rayk Bajohr created LOG4J2-2695:
-----------------------------------
Summary: Checksum between release binary archive and maven repo doesn't match
Key: LOG4J2-2695
URL: https://issues.apache.org/jira/browse/LOG4J2-2695
Project: Log4j 2
Issue Type: Bug
Affects Versions: 2.12.1
Reporter: Rayk Bajohr
The jar file checksums in the release binary archive doesn't match the checksums offered by maven central.
As a user I expect that the checksums are identical to ensure that we download trusted binaries via maven central. Maybe we have a misunderstanding, but the idea is to verify the checksums ones to ensure the the binaries aren't manipulated.
Here an example based on the "log4j-api-2.12.1.jar" file.
*Maven Repo*
SHA1 checksum: a55e6d987f50a515c9260b0451b4fa217dc539cb
[https://repo.maven.apache.org/maven2/org/apache/logging/log4j/log4j-api/2.12.1/log4j-api-2.12.1.jar.sha1]
*Binary Archive Artifact*
SHA1 checksum: f952311a8cab7f8ffda787c1b5216fee9317d2f
Downloaded from: [https://www.apache.org/dyn/closer.lua/logging/log4j/2.12.1/apache-log4j-2.12.1-bin.zip]
--
This message was sent by Atlassian Jira
(v8.3.2#803003)