On Wed, 17 Feb 2021 at 15:36, Jenkins, Rodney J (Rod) < jenki...@nationwide.com> wrote:
> <snip> > > I have a question on the tarballs on https://archive.apache.org and > https://repo1.maven.org. I noticed that the images are not the same SHA > and not the same size. Is there a reason for that? > > </snip> > These appear to have been published from the output of different maven builds when the release was being prepared, with various build metadata files varying by 15-30 minutes in their contained timestamps between the two -bin archives, and in turn creating differences in the containing jars and overall archive. The timestamp differences appear to be the only differences there fortunately. For the actual source release, the file in the Apache archive contains a couple of additional dependency-reduced-pom.xml snapshot files (for activemq-run and activemq-all modules) vs the one deployed to central which looks to have been created about 12mins later, but the other content is again otherwise the same. Such a difference is not expected if following the regular release process. Folks also tend to verify the bits staged on the apache servers for the dist area / archive / dist mirrors etc during release testing. These two combined are probably why such a difference hasn't been spotted before. (Its expected they use different types of checksum files, as the actual release has to use a .sha512 file by policy, but if you generate a common type I expect them to match normally, with the signature files the same in both cases) >
