Hi, > There is NO WAY to verify a binary. Even compiling from source to binary on > your machine, and trying to compare against a target binary will generally > fail since timestamps are embedded. Or maybe there are different compilers > being used.
As per ASF policy a connivance binary can be release as the same time [1] and it needs to comply with license and notice policy [2]. It usually very easy to check a binary (and I’ve done it 100’s of time) by uncompress the jar or just editing it directly to see what is bundled inside it. Thanks, Justin 1. http://www.apache.org/legal/release-policy.html#compiled-packages 2. http://www.apache.org/dev/licensing-howto.html#binary
