hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15630) Improve checksum files for releases for easier verification
Date Mon, 11 Apr 2016 20:11:25 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15630?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15235887#comment-15235887
] 

Christopher Tubbs commented on HBASE-15630:
-------------------------------------------

Ah, so that's how it's done. That's an interesting way to use gpg... especially since if a
user has GPG in order to do this trick, it'd be better if they ignore this file and check
the signature instead. The hashes seem more useful for people who don't have, or don't want
to use, gpg. In that case, it seems preferable to use the standardized coreutils format.

A few other comments about the gpg output: if one wishes gpg output to be consistent and its
output scriptable, one should specify {{ gpg --with-colons }}. In this case, order of output
also matters, as does the supported algorithms. Unfortunately, the {{ gpg --with-colons }}
option also substitutes the algorithm names with a numeric ID, which is less useful for human
readers. That's unfortunate.

At least now I know how it's done. Thanks for the tip!

> Improve checksum files for releases for easier verification
> -----------------------------------------------------------
>
>                 Key: HBASE-15630
>                 URL: https://issues.apache.org/jira/browse/HBASE-15630
>             Project: HBase
>          Issue Type: Wish
>    Affects Versions: 1.2.1
>            Reporter: Christopher Tubbs
>            Priority: Trivial
>
> Trying to verify latest release (1.2.1), and I found it a bit inconvenient to parse the
*.mds checksum file. The line wrapping, white space, and the general format of the file does
not lend itself for easy verification.
> I suggest using the standard "coreutils" format for md5sum, sha*sum, etc., instead: <lowercase-hash><space><asterisk(binary-flag)><filename>
> {code}
> # md5
> 3d66c0dd4f38fa881046fe64dd680a7a *hbase-1.2.1-src.tar.gz
> # sha1
> 3666a4829d9a8d9285173bfa8e8d0ff5423a22d6 *hbase-1.2.1-src.tar.gz
> # rmd160
> #fb318e84b6256492cfb990aec2238a64c2da21ad *hbase-1.2.1-src.tar.gz
> # sha224
> 89d341a55069e4875f9e6859737062fd7a4c11596811731c4ba95ca0 *hbase-1.2.1-src.tar.gz
> # sha256
> e8000a65e98d4c5db7bab54da99a57209fe4ea777ab41e91ae8ccf7bfa2d50dd *hbase-1.2.1-src.tar.gz
> # sha384
> 49aa0620bf0fbe20bbde66cecabb76b22defb9ee609936edc3952889e6484e55c88f1c93d6258a2eaab4a9d5188b6170
*hbase-1.2.1-src.tar.gz
> # sha512
> 28956a35a01ae87e9f733664c52c6fd25f9a60a1ff7047bbf306cd433c2a5b863c9bf05aba1d58792b86eec9943ae00e772c4b76fb81c5d210cf256cd074189b
*hbase-1.2.1-src.tar.gz
> {code}
> (comment lines added for humans, but ignored by tools; commented out rmd160, because
not a coreutils supported algorithm; binary flag optional, could use another space instead...
probably only matters for some dos tools)
> This makes it very easy to verify multiple files and hashes using: {{shasum -c file.mds}}
or {{sha1sum -c file.mds}} or {{md5sum -c file.mds}}.
> In addition to the file format change, I suggest these two additional changes:
> 1. Drop rmd160. It's not nearly as popular as the others, and it doesn't lend itself
to easy verification (no coreutils equivalent command like md5sum, sha1sum, etc.)
> 2. Concatenate hashes from all files into a single file. This makes it easier to verify
all downloads at once.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message