vlsi commented on pull request #641: URL: https://github.com/apache/jmeter/pull/641#issuecomment-768535255
Ah, the library was published by @apupier somehow manually (see https://issues.apache.org/jira/browse/XERCESJ-1724) It is sad Xerces PMC does not publish jars to repository.apache.org :-/ On the other hand, the file at Central is the same as the one in the official release: ``` $ openssl dgst -sha512 Xerces-J-bin.2.12.1.zip SHA512(Xerces-J-bin.2.12.1.zip)= 318222b084e2882b16d230a70d0811882d2e46b0e63e8262098e952d25c9caebf32b40c0d0a1ed68a787f6dd017b5a4fa805c00889429115462dfb2e268a8b28 # jar from the official release $ openssl dgst -sha512 xercesImpl.jar SHA512(xercesImpl.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957 ``` ``` # jar from OSSRH $ openssl dgst -sha512 xercesImpl-2.12.1.jar SHA512(xercesImpl-2.12.1.jar)= 811afd85cdd19545785fde7fb39511f1e171e1d021a96117d105e2b2f37715536e17259e6ad0ce897b4c7c8a5bd1e88c9fa0825b0a2ef9f3956cd82944a33957 ``` So I agree we should use SHA512, and we should use SHA512 for all other xerces jars. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
