helix-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kanak Biscuitwala (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (HELIX-421) Download page: confusion over sigs and hashes
Date Fri, 28 Mar 2014 03:03:15 GMT

     [ https://issues.apache.org/jira/browse/HELIX-421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Kanak Biscuitwala resolved HELIX-421.

    Resolution: Fixed
      Assignee: Kanak Biscuitwala


> Download page: confusion over sigs and hashes
> ---------------------------------------------
>                 Key: HELIX-421
>                 URL: https://issues.apache.org/jira/browse/HELIX-421
>             Project: Apache Helix
>          Issue Type: Bug
>         Environment: http://helix.apache.org/0.6.3-docs/download.cgi
>            Reporter: Sebb
>            Assignee: Kanak Biscuitwala
> The download page conflates the signature and hash files.
> However these server different purposes, and it's best not to treat them as if they were
the same.
> The asc file is a signature
> The md5 and sha1 files are hashes
> The page then says
> "We strongly recommend you verify the integrity of the downloaded files with both PGP
and MD5."
> The check provided by the signature (.asc) file is much stronger than the one provided
by either of the hashes. There is no point in checking both.
> Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase this.

This message was sent by Atlassian JIRA

View raw message