community-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henk P. Penning" <penn...@uu.nl>
Subject Re: Updated checksum policy doc update
Date Fri, 30 Mar 2018 10:00:12 GMT
Hi,

   FYI ; I updated the 'verification' page.

     https://www.apache.org/info/verification

   -- section "Checking Hashes" :
      This section now has a reference to 'checker.apache.org',
      including a form to submit a SHA-1 to the checker.

   -- section "Checking Signatures" :
      -- Unchanged ;
      -- read it ...
      -- the first, easy part (check the detached signature) is ok ;
      -- the second (not-so-easy) part (Validating Authenticity
         of a Key) is entirely impractical : "A good start to
         validating a key is by face-to-face communication ..."

   Here is a puzzle :

   -- look at http://www.staff.science.uu.nl/~penni101/puzzle/
   -- prove that 'foo' an authentic ASF artifact

   Regards,

   Henk Penning

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

---------- Forwarded message ----------
Date: Sun, 25 Mar 2018 14:18:06 +0200 (CEST)
From: Henk P. Penning <penning@uu.nl>
To: ComDev <dev@community.apache.org>
Cc: Users <users@infra.apache.org>
Subject: Re: Updated checksum policy doc update

On Sat, 24 Mar 2018, Christopher wrote:

>  Date: Sat, 24 Mar 2018 21:16:04 +0100
>  From: Christopher <ctubbsii@apache.org>
>  To: ComDev <dev@community.apache.org>
>  Cc: Users <users@infra.apache.org>
>  Subject: Updated checksum policy doc update
>
>  The recently updated checksum policy from infra means more people should be
>  using tools like sha512sum or shasum (or even sha1sum) instead of md5sum,
>  but the instructions for users to verify releases:
>  https://www.apache.org/info/verification only mention md5sum tools. They
>  should be updated to include mention of tools for checking SHA-1 and SHA-2
>  hashes. This page is so old and out of date, that it even still mentions
>  textutils, which was rolled into coreutils 15 years ago.
>
>  I'm not sure who can update this page, but it definitely needs some
>  attention. Otherwise, projects will have to provide their own, possibly
>  inconsistent, verification instructions (rather than link to this page, as
>  many do now).

Hi,

    I fixed up https://www.apache.org/info/verification a little,
    regarding "Checking Hashes" ; it is still impractical.

   I would rather refer people to

     https://checker.apache.org/dist/verify.html

   See for examples (click left ; click right) :

     https://checker.apache.org/#META-files

   Regards,

   Henk Penning

------------------------------------------------------------   _
Henk P. Penning, ICT-beta                 R Uithof MG-403    _/ \_
Faculty of Science, Utrecht University    T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL          F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M penning@uu.nl     \_/

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@community.apache.org
For additional commands, e-mail: dev-help@community.apache.org


Mime
View raw message