https://gist.github.com/jvz/54c8222bd8ef3dabd690994ab35d85d2
gist:54c8222bd8ef3dabd690994ab35d85d2
gist.github.com
Logs say the diff is mainly due to compression levels.
> On Jul 8, 2025, at 13:38, Piotr P. Karwasz <pi...@mailing.copernik.eu> wrote:
>
> Hi Matt,
>
> On 8.07.2025 18:34, Matt Sicker wrote:
>> The diffoscope output for the module file is simple:
>>
>> [...]
>> │ "createdBy": {
>> │ "maven": {
>> │ - "version": "3.9.8"
>> │ + "version": "3.9.10"
>> │ }
>
> I didn't know about this aspect of the Gradle Module Metadata (GMM)
> Maven Plugin, but the error makes sense now: the difference is due to
> the Maven version used.
>
> To address this, I’ve opened a feature request in the GMM Maven Plugin
> to stop generating the optional `createdBy` field altogether:
>
> https://github.com/gradlex-org/gradle-module-metadata-maven-plugin/issues/43
>
> This should improve reproducibility and make it easier to verify future
> Log4j releases.
>
>> The diffoscope output for the other file has substantial changes
>> (probably related to version differences).
>
> The differences in the `-sources.jar` are a bit more concerning. While
> it’s more of a documentation artifact than the actual source code of
> Log4j, unexpected changes there still raise questions.
>
> Unlike the `.module` file issue—which I can reproduce by switching to
> Maven 3.9.10—I haven't been able to reproduce the `-sources.jar`
> differences on Linux. Could you upload your `diffoscope` output to a
> Gist or share a summary of the key differences you’re seeing?
>
> Piotr
>
>
