Daniel Stratton created LOG4J2-3465:
---------------------------------------
Summary: Maven and download hashes do not align
Key: LOG4J2-3465
URL: https://issues.apache.org/jira/browse/LOG4J2-3465
Project: Log4j 2
Issue Type: Bug
Components: API, Core
Affects Versions: 2.17.2
Reporter: Daniel Stratton
The SHA1 checksums for the download of API and Core differ based on whether
they were downloaded from the core site or downloaded from Maven central.
>From download
>[https://dlcdn.apache.org/logging/log4j/2.17.2/apache-log4j-2.17.2-bin.zip]
{code:java}
Algorithm Hash
Path
--------- ----
----
SHA1 00AE567DABF40EEC11027B8BE59EBDCA65A5AD06
log4j-api-2.17.2.jar
SHA1 70BFABC6EF2D35188EE4615BEBC1416080C6F76F
log4j-core-2.17.2.jar {code}
>From maven
>[https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/]
>and
>[https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/]
{code:java}
Algorithm Hash
Path
--------- ----
----
SHA1 F42D6AFA111B4DEC5D2AEA0FE2197240749A4EA6
log4j-api-2.17.2.jar
SHA1 FA43BA4467F5300B16D1E0742934149BFC5AC564
log4j-core-2.17.2.jar {code}
Using Beyond Compare to compare the JAR files, all of the content is identical
except for the MANIFEST.MF file.
The differences there are a singular difference in Bnd-LastModified. For
example, API is
Bnd-LastModified: 1645648089746
vs
Bnd-LastModified: 1645647755961
This has resulted in validation errors in Snyk where we're bundling it in as
part of a larger Eclipse feature plugin.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
