helix-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HELIX-421) Download page: confusion over sigs and hashes
Date Fri, 28 Mar 2014 00:41:15 GMT
Sebb created HELIX-421:
--------------------------

             Summary: Download page: confusion over sigs and hashes
                 Key: HELIX-421
                 URL: https://issues.apache.org/jira/browse/HELIX-421
             Project: Apache Helix
          Issue Type: Bug
         Environment: http://helix.apache.org/0.6.3-docs/download.cgi
            Reporter: Sebb


The download page conflates the signature and hash files.
However these server different purposes, and it's best not to treat them as if they were the
same.

The asc file is a signature
The md5 and sha1 files are hashes

The page then says

"We strongly recommend you verify the integrity of the downloaded files with both PGP and
MD5."

The check provided by the signature (.asc) file is much stronger than the one provided by
either of the hashes. There is no point in checking both.

Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message