Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 86385 invoked from network); 24 Sep 2009 15:10:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Sep 2009 15:10:16 -0000 Received: (qmail 45540 invoked by uid 500); 24 Sep 2009 15:10:15 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 45470 invoked by uid 500); 24 Sep 2009 15:10:15 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 45412 invoked by uid 99); 24 Sep 2009 15:10:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Sep 2009 15:10:15 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates 72.32.122.47 as permitted sender) Received: from [72.32.122.47] (HELO chandler.sharp.fm) (72.32.122.47) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Sep 2009 15:10:05 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id 7EBEEDC0A2 for ; Thu, 24 Sep 2009 10:09:44 -0500 (CDT) Received: from graham-leggetts-macbook-pro-3.local (unknown [212.58.232.179]) (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id EE64FDC09B for ; Thu, 24 Sep 2009 10:09:43 -0500 (CDT) Message-ID: <4ABB8BB6.8000101@sharp.fm> Date: Thu, 24 Sep 2009 17:09:42 +0200 From: Graham Leggett User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: [vote] release httpd-2.2.14? References: <4ABAAE16.5040907@sharp.fm> <4ABADFFF.4010708@apache.org> <4ABB6859.3080408@sharp.fm> <4ABB7A0B.9020602@apache.org> <4ABB7F4D.3040204@sharp.fm> <4ABB870F.1040808@apache.org> In-Reply-To: <4ABB870F.1040808@apache.org> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms000600000305060502070400" X-Virus-Scanned: ClamAV using ClamSMTP X-Virus-Checked: Checked by ClamAV on apache.org This is a cryptographically signed message in MIME format. --------------ms000600000305060502070400 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Guenter Knauf wrote: >>>> Can you point out where this is documented? >>> I'll try to dig that up. >> If you can, please. > I think what I meant were the pointers on the download side: > http://httpd.apache.org/download.cgi > see down last sentence - however its not explained how to check > automatically; but I volunteer to add a section for this. The last sentence just says that md5 signatures are used, and suggests software that might be used to verify md5 signatures, no mention is made at all as to the format of the md5 files. As the roll.sh script is the current authoritative mechanism for how md5 signatures are created, and roll.sh makes no guarantee as to the format of the md5 file, all claims made to date that the signatures are in the wrong format are therefore false. Having said that, if someone wants to modify the roll.sh script to create a more formal way of generating signatures that works *both* with md5sum, and openssl md5, please go ahead and do so. But until someone either makes that change to roll.sh, or posts a patch to make the change to roll.sh, any valid md5 format created by either md5sum or openssl remains valid. Having undocumented practices (within reason) is evil. >> Ok, now what you propose only works on Linux and Windows. *BSD? MacOSX? >> Others? > http://www.freebsdsoftware.org/sysutils/coreutils.html > http://coreutils.darwinports.com/ > > Also its no reason to force *all* users to verify manually only because > some OS might lack of any of the checksum tools. openssl md5 offers a -verify option to verify the signature, and this works on a wider set of platforms than md5sum does. I think openssl md5 is a far more practical format to standardise on than md5sum. Regards, Graham -- --------------ms000600000305060502070400 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJNTCC AvUwggJeoAMCAQICEE48SDZRMuwR+sMj0uPO8bgwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MTAxNDEzNDk1N1oX DTA5MTAxNDEzNDk1N1owXTEQMA4GA1UEBBMHTGVnZ2V0dDEPMA0GA1UEKhMGR3JhaGFtMRcw FQYDVQQDEw5HcmFoYW0gTGVnZ2V0dDEfMB0GCSqGSIb3DQEJARYQbWluZnJpbkBzaGFycC5m bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOHdkReI2hOK03fWwKA9UqHcjwRQ /gdmAIB/96pznww4TROCiCG/ugLzo2/feBQSuY467jFMBNudlzY+65avbP9Utys/0pa9lcK7 7hjXKKhgqL/UBSmSLxHie8pCo+74tqoOBTEkKj/Dc37mugeA0tdG1tOGc3yg8JhxEITl/9Sr Qm5NElCFs3dLksCh+3S0IFANct13lRr7aYezqlsVu7HiQkSc3uWDGtRAIWouimjvpfaPuBl/ hZCzQiWmHoW++C5kO5cxuO9UluW3oxk8+tJmsIA+6pJTfSHH5RbVrEXSlbkscSZ+/TYMw7rr /Mo8iqTANqNpInUfVE5nMmdqN5ECAwEAAaMtMCswGwYDVR0RBBQwEoEQbWluZnJpbkBzaGFy cC5mbTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBQUAA4GBADfOsPAXQyOnuF1AM2p/elY6 7QVH1C7xQZTQ809jKVM7/44FaS7u5t3RhH3HpVd/qO0xkYTw9NBbQMFn8XoK2RAHs+phssXh Z9sKfDJYmQN8H2xglQG4oUcdypLiv4l/1FE7OCh8dqQ5aMFrbT+Qq9nr1WGxXCemp8+Y3wgI GFBCMIIC9TCCAl6gAwIBAgIQTjxINlEy7BH6wyPS487xuDANBgkqhkiG9w0BAQUFADBiMQsw CQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoG A1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDgxMDE0MTM0 OTU3WhcNMDkxMDE0MTM0OTU3WjBdMRAwDgYDVQQEEwdMZWdnZXR0MQ8wDQYDVQQqEwZHcmFo YW0xFzAVBgNVBAMTDkdyYWhhbSBMZWdnZXR0MR8wHQYJKoZIhvcNAQkBFhBtaW5mcmluQHNo YXJwLmZtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4d2RF4jaE4rTd9bAoD1S odyPBFD+B2YAgH/3qnOfDDhNE4KIIb+6AvOjb994FBK5jjruMUwE252XNj7rlq9s/1S3Kz/S lr2VwrvuGNcoqGCov9QFKZIvEeJ7ykKj7vi2qg4FMSQqP8Nzfua6B4DS10bW04ZzfKDwmHEQ hOX/1KtCbk0SUIWzd0uSwKH7dLQgUA1y3XeVGvtph7OqWxW7seJCRJze5YMa1EAhai6KaO+l 9o+4GX+FkLNCJaYehb74LmQ7lzG471SW5bejGTz60mawgD7qklN9IcflFtWsRdKVuSxxJn79 NgzDuuv8yjyKpMA2o2kidR9UTmcyZ2o3kQIDAQABoy0wKzAbBgNVHREEFDASgRBtaW5mcmlu QHNoYXJwLmZtMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAN86w8BdDI6e4XUAz an96VjrtBUfULvFBlNDzT2MpUzv/jgVpLu7m3dGEfcelV3+o7TGRhPD00FtAwWfxegrZEAez 6mGyxeFn2wp8MliZA3wfbGCVAbihRx3KkuK/iX/UUTs4KHx2pDlowWttP5Cr2evVYbFcJ6an z5jfCAgYUEIwggM/MIICqKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJa QTEVMBMGA1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoT EVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERp dmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG 9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcN MTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRp bmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vp bmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSmPFVzVftOucqZWh5owHUEcJ3f 6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnwK4Vaqj9xVsuvPAsH5/Ef kTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e20TxhBEAeZBlyYLf7 AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDigNqA0hjJodHRw Oi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDALBgNVHQ8E BAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0GCSqG SIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bG CE6u9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIDcTCCA20CAQEwdjBiMQswCQYD VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE48SDZRMuwR+sMj0uPO 8bgwCQYFKw4DAhoFAKCCAdAwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B CQUxDxcNMDkwOTI0MTUwOTQyWjAjBgkqhkiG9w0BCQQxFgQUu9sHHwE4lSl0NyLp6k2sS6Qs aUIwXwYJKoZIhvcNAQkPMVIwUDALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGFBgkrBgEE AYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAo UHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBD QQIQTjxINlEy7BH6wyPS487xuDCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYTAlpB MSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3 dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQTjxINlEy7BH6wyPS487xuDANBgkq hkiG9w0BAQEFAASCAQAfdEo4mgiitdb42MHFbuy4iTuQeYeNuIEZILic8ub2imL17stQaHUx X4i4TBvB4luZOyc3N5bU9NgrYn7zna8SDXDpTmN5niqWI+UPjXkBwqmwqQ6lYK2KLunbNRbP 4oQHbHYv9ZOyKPMFrDPF12NINYdzIOqq4Tq8dis2XDoJbgZOvnKIV8tkSN3QFajRFdkFTbIW gu5y7msQdLTYFrjy8CSzNpyIZuMBrthCUDi9LSmmGp45/vv4GGMMZ1s4sRiR/vs+q5ug5YHv 670ZWwZSBEcsptPb9ZorDurPuFwhIsyZmrUKvC9bASddBqlstUba6f3PRKnURJ/t76Gpl75v AAAAAAAA --------------ms000600000305060502070400--