ant-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark R. Diggory" <mdigg...@latte.harvard.edu>
Subject Re: md5 checksum formats on BSD
Date Wed, 11 Aug 2004 18:16:49 GMT
Excuse the cross post, I wanted to get this out to the Ant and Maven 
lists as well.

In the larger community the BSD default format is refered to as SVF 
(Simple File Verification) and the GNU md5sum format as MD5SUM, I 
suspect it would be good to see these as output features/options that 
could be set within Ant and Maven to allow developers to choose the md5 
output format one would like to use. Yes, I do believe this would be an 
excellent feature enhancement to these tools.

-Mark

Mark R. Diggory wrote:

> Both Maven and Ant only insert only the checksum into the file. I 
> believe they resolve the location of the actual source file from the 
> name of the checksum file, which forces all checksum files to reside 
> in the same directory as thier source files.
>
> This represents a problem if you want verify the generated checksum on 
> *nix or BSD using md5sum or cksum as these tools require the file path 
> (relative to the md5) to actually be present in the md5 file and I do 
> not believe there is any way around this.
>
> -Mark
>
> Martin Cooper wrote:
>
>> Do you happen to know which flavour Ant creates? For Struts releases,
>> the Ant build file generates the MD5 files using the <checksum> task.
>> That seems like a pretty obvious way to generate them for any project
>> that uses Ant, but the task doesn't appear to have any switch for
>> determining flavour (and the docs don't appear to say anything about
>> different flavours of MD5).
>>
>> -- 
>> Martin Cooper
>>
>>
>> On Wed, 11 Aug 2004 13:06:00 -0400, Mark R. Diggory
>> <mdiggory@latte.harvard.edu> wrote:
>>  
>>
>>> A subject came up on the Tomcat developers list which we thought should
>>> be shared with the whole community.
>>>
>>> Specifically, it was found that BSD's default md5 format is not 
>>> parsable
>>> by some external programs that clients are using to verify the 
>>> integrity
>>> of our downloads.
>>>
>>> While we thought this not "mission critical", we did think it wise that
>>> we should begin making the following recommendation when creating md5
>>> signatures for files.
>>>
>>> We discovered there is a "-r" option which makes BSD md5 generate md5
>>> signature format that is the same as that of GNU's md5sum, a more
>>> prevalent tool for generating checksums of files.
>>>
>>> We also found that on BSD, "cksum" is comparable to to GNU's "md5sum
>>> --check" functionality and that it works on both the BSD and GNU file
>>> format.
>>>
>>> Our recommendation is that Apache should be signing with the more
>>> prevalent GNU formated output so that other file integrity software
>>> available on platforms other than BSD can verify the file integrity 
>>> more
>>> easily. This is simply accomplished by adding the -r option
>>>
>>> For Example:
>>> %md5 -r foo.bar > foo.bar.md5
>>>
>>> We should remember that md5 signatures are for the public to verify the
>>> integrity of our software package distributions. Making sure that
>>> "everyone" can verify our file integrity is probably more important 
>>> than
>>> maintaining a platform specific format because it is the default for 
>>> the
>>> OS these were generated on.
>>>
>>> -Mark Diggory
>>>
>>> Mark R. Diggory wrote:
>>>   
>>>
>>>> For example here are the outputs of the various signing tools we 
>>>> use at
>>>> this time:
>>>>
>>>> BSD md5:
>>>>
>>>> > md5 commons-collections-3.1.jar
>>>> MD5 (commons-collections-3.1.jar) = d1dcb0fbee884bb855bb327b8190af36
>>>>
>>>> while the GNU md5 script generates the following:
>>>>
>>>> [mdiggory@tribal jars]$ md5sum commons-collections-3.1.jar
>>>> d1dcb0fbee884bb855bb327b8190af36  commons-collections-3.1.jar
>>>>
>>>> And maven just generates and uses:
>>>> d1dcb0fbee884bb855bb327b8190af36
>>>>
>>>> Yes, the nice thing about BSD md5 is that the -r can be used to 
>>>> make it
>>>> look like the GNU md5sum output, it would probably be good if we 
>>>> started
>>>> to use this as it will be more prevalent and possibly is the 
>>>> closest one
>>>> can get to a standard:
>>>>
>>>> > md5 -r commons-collections-3.1.jar
>>>> d1dcb0fbee884bb855bb327b8190af36 commons-collections-3.1.jar
>>>>
>>>>
>>>> Mark R. Diggory wrote:
>>>>
>>>>     
>>>>
>>>>> This is the md5 output generated by BSD md5 and not necessarily a
>>>>> "standard", GNU md5sum generates a different format that is not
>>>>> "standard" as well. For maven, just the checksum portion of the
>>>>> content is stored in the file.
>>>>>
>>>>> It would be nice if there was a standard in this area, but I have yet
>>>>> to see one in the internet community. We have the same problem with
>>>>> generating md5 checksums for the maven repository at the moment.
>>>>>
>>>>> -Mark
>>>>>
>>>>> Shapira, Yoav wrote:
>>>>>
>>>>>       
>>>>>
>>>>>> Hi,
>>>>>> The format I use for MD5 sums is the standard one.  Every other 
>>>>>> project
>>>>>> I know uses this format, so I think if anything this user needs to
>>>>>> adjust his preferences ;)  However, if there's a standard or spec
>>>>>> somewhere that mandates we use md5 -r (reverse output format), then
>>>>>> sure, someone point me to it and I'll follow that spec when signing
>>>>>> releases.
>>>>>>
>>>>>> Yoav Shapira
>>>>>> Millennium Research Informatics
>>>>>>
>>>>>>
>>>>>>
>>>>>>         
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: jean-frederic clere 
>>>>>>> [mailto:jfrederic.clere@fujitsu-siemens.com]
>>>>>>> Sent: Tuesday, August 10, 2004 5:26 AM
>>>>>>> To: Tomcat Developers List
>>>>>>> Subject: Re: Fwd: md5 sums for jakarta downloads
>>>>>>>
>>>>>>> Pier Fumagalli wrote:
>>>>>>>
>>>>>>>           
>>>>>>>
>>>>>>>> Begin forwarded message:
>>>>>>>>
>>>>>>>>
>>>>>>>>             
>>>>>>>>
>>>>>>>>> From: Andy Mudrak <ajmudrak@optonline.net>
>>>>>>>>> Date: 10 August 2004 00:57:44 BST
>>>>>>>>> To: webmaster@jakarta.apache.org
>>>>>>>>> Subject: md5 sums for jakarta downloads
>>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I noticed that your MD5 sums on your website are not
all 
>>>>>>>>> formatted
>>>>>>>>> correctly.  I specifically downloaded the Tomcat 5.0.27
MD5 file,
>>>>>>>>>               
>>>>>>>>
>>>>>>
>>>>>> and
>>>>>>
>>>>>>         
>>>>>>
>>>>>>>>> found this out.  Not that it's a big deal or anything
like 
>>>>>>>>> that, but
>>>>>>>>> it'd be good to have the MD5 properly formatted, that
is the 
>>>>>>>>> MD5 sum
>>>>>>>>> and then the file name...
>>>>>>>>>               
>>>>>>>>
>>>>>>>
>>>>>>> I am not sure that is a good idea:
>>>>>>> +++
>>>>>>> -bash-2.05b$ openssl md5  toto
>>>>>>> MD5(toto)= efd6b079984c77cd80254ff266e9ab43
>>>>>>> +++
>>>>>>>
>>>>>>> And looking in the Jakarta "Binary downloads" I have found that

>>>>>>> a lot
>>>>>>>           
>>>>>>
>>>>>>
>>>>>> of
>>>>>>
>>>>>>         
>>>>>>
>>>>>>> other
>>>>>>> MD5 file are using the Tomcat format.
>>>>>>>
>>>>>>>
>>>>>>>           
>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Andy Mudrak
>>>>>>>>>
>>>>>>>>> ajmudrak@optonline.net
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>               
>>>>>>>>
>>>>>>>>             
>>>>>>>
>>>>>>> ---------------------------------------------------------------------

>>>>>>>
>>>>>>> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>>>>>>> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>>>>>>>           
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------------------------

>>>>>>
>>>>>> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
>>>>>> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>>>>>>
>>>>>>         
>>>>>
>>> -- 
>>> Mark Diggory
>>> Software Developer
>>> Harvard MIT Data Center
>>> http://www.hmdc.harvard.edu
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: general-unsubscribe@jakarta.apache.org
>>> For additional commands, e-mail: general-help@jakarta.apache.org
>>>
>>>
>>>   
>>
>
>


-- 
Mark R. Diggory
Software Developer
Harvard MIT Data Center
http://www.hmdc.harvard.edu


---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@ant.apache.org
For additional commands, e-mail: user-help@ant.apache.org


Mime
View raw message