httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: [vote] release httpd-2.2.14?
Date Thu, 24 Sep 2009 15:09:42 GMT
Guenter Knauf wrote:

>>>> Can you point out where this is documented?
>>> I'll try to dig that up.
>> If you can, please.
> I think what I meant were the pointers on the download side:
> see down last sentence - however its not explained how to check
> automatically; but I volunteer to add a section for this.

The last sentence just says that md5 signatures are used, and suggests
software that might be used to verify md5 signatures, no mention is made
at all as to the format of the md5 files.

As the script is the current authoritative mechanism for how md5
signatures are created, and makes no guarantee as to the format
of the md5 file, all claims made to date that the signatures are in the
wrong format are therefore false.

Having said that, if someone wants to modify the script to
create a more formal way of generating signatures that works *both* with
md5sum, and openssl md5, please go ahead and do so.

But until someone either makes that change to, or posts a patch
to make the change to, any valid md5 format created by either
md5sum or openssl remains valid.

Having undocumented practices (within reason) is evil.

>> Ok, now what you propose only works on Linux and Windows. *BSD? MacOSX?
>> Others?
> Also its no reason to force *all* users to verify manually only because
> some OS might lack of any of the checksum tools.

openssl md5 offers a -verify option to verify the signature, and this
works on a wider set of platforms than md5sum does.

I think openssl md5 is a far more practical format to standardise on
than md5sum.


View raw message