[
https://issues.apache.org/jira/browse/AXIS2-6094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Lazarski resolved AXIS2-6094.
------------------------------------
Resolution: Fixed
This should be resolved by AXIS2-6082 (reproducible builds), which was merged
via PR #879 and
ships in 2.0.1. The root cause was that JARs inside the WAR distribution were
built with
different timestamps than the JARs published to Maven Central. With
project.build.outputTimestamp
now set in the parent POM, all artifacts use the same timestamp, producing
identical checksums.
> CRC of some axis2 jars distributed via WAR archive is different than CRC of
> jars distributed via public repositories
> --------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-6094
> URL: https://issues.apache.org/jira/browse/AXIS2-6094
> Project: Axis2
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Brănaci Șerban-Mihai
> Priority: Minor
> Fix For: 2.0.1
>
>
> It seems that some of the axis2 jars included in the WAR archive available at
> [https://axis.apache.org/axis2/java/core/download.html] differ in some way
> from the ones available on mvnrepository (functionality-wise they are not
> affected and size-wise the jars are identical).
> Even if functionality-wise this is a non-issue, for SCA/BOM scanning with
> tools like Mend, which rely on the sha1sum for package matching, this is a
> problem.
> Here are the "problematic" packages:
> sha1sums from WAR archive:
> {code:java}
> $ sha1sum *
> af76a762087190af90729299b25321d61509c87a *axis2-adb-2.0.0.jar
> 6148fa39e891be11cfe00ba434e75fcd67ce58be *axis2-clustering-2.0.0.jar
> fe9a867ebd07207e467f665f9e07ed2262a84b49 *axis2-codegen-2.0.0.jar
> 6e063d60320a90d168beb57fe398c17c46eb1d59 *axis2-corba-2.0.0.jar
> fb4bc5a477115d486ec222b0d2b9695b3ce530c8 *axis2-fastinfoset-2.0.0.jar
> 77895d0d38ee8615d7b4170d15989d37af819323 *axis2-jaxws-2.0.0.jar
> cb4519531be19f4b01103667486999794ba43ebb *axis2-jibx-2.0.0.jar
> e4352032b486a65b708838d5f518fff16728ebf0 *axis2-json-2.0.0.jar
> 3cddc26c93bdc589fabf8c7e41ec17c2775b51ea *axis2-kernel-2.0.0.jar
> 6b0e739937ae4c3460a13fb7ce1794693167c621 *axis2-metadata-2.0.0.jar
> 4369b53dbf07e175b7cbecffb1d65505733a8c65 *axis2-mtompolicy-2.0.0.jar
> 8e940e51d2cd56431afe0304ee175072226a5c53 *axis2-saaj-2.0.0.jar
> cf4dbcfc8a10957035ac2c2574f80f2ba4ac5cd1 *axis2-soapmonitor-servlet-2.0.0.jar
> 283a77dc0d3ee74ea631c2156ebcfb3216671a42 *axis2-spring-2.0.0.jar
> e8c9f41c9e2b48b90046c5a850350fc62d1ac4aa *axis2-transport-http-2.0.0.jar
> {code}
> sha1sums from mvnrepository:
> {code:java}
> $ sha1sum *
> dd7074c4d0313a66d07bfaa65e7a81d319269f50 *axis2-adb-2.0.0.jar
> 611bc3c601465b88294ef5685fa79b88c98deecc *axis2-clustering-2.0.0.jar
> 760088129e738e91c5e5ba4b2101b6bfa4b3c4ef *axis2-codegen-2.0.0.jar
> 01252650ee948a7950ade6d9d0f6467a9e996ea0 *axis2-corba-2.0.0.jar
> 5be8b59a11de949d9933cf370dd630b37490bdba *axis2-fastinfoset-2.0.0.jar
> 417c1487beea8978d637bdc0aef30a5e6e425f9e *axis2-jaxws-2.0.0.jar
> 524e74c9e36149171c30b71440831961047d35da *axis2-jibx-2.0.0.jar
> 8860d572fe3abe321c60ccbe5409255c0f1951c7 *axis2-json-2.0.0.jar
> be70358978fe833bd02838b9a10e3dd79a696e88 *axis2-kernel-2.0.0.jar
> 969a4e13bd7dd0329b64ed78dc1a68d549164992 *axis2-metadata-2.0.0.jar
> 6d49734f95fdbd9390e39c63c067be0a9ef318f7 *axis2-mtompolicy-2.0.0.jar
> d8130e5ed88e043d05cddc083c55b43e5b94bdd4 *axis2-saaj-2.0.0.jar
> 146f4a4ac7b05c7fbd8d72edeaa5172f547c4cb5 *axis2-soapmonitor-servlet-2.0.0.jar
> afa190d78714c4d795268fa178a64e98253623b9 *axis2-spring-2.0.0.jar
> 93bf2c434e9d1115d611cac4660a4cfd1a2931e4 *axis2-transport-http-2.0.0.jar
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
