laeubi commented on PR #1726: URL: https://github.com/apache/maven/pull/1726#issuecomment-2372876643
> I'm neither talking about the content of `META-INF/MANIFEST.MF` nor the timestamp of the jar, but **the timestamp of entries in the jar/zip** But is this then not more the `jar-plugin` to handle this (e.g. warn / error / choose default / ...), beside that I wonder why the sha1 sum is used in the first place, would not comparing the zip entries be more useful (we do this at Tycho) as it then even not depend on compression level. Another one would be as you described to download the real jar first and then extract the used timestamp value from there, then inject it into the reproducible build. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@maven.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
