Return-Path: X-Original-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-flex-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D78EFD3DA for ; Mon, 10 Sep 2012 09:38:11 +0000 (UTC) Received: (qmail 78247 invoked by uid 500); 10 Sep 2012 09:38:10 -0000 Delivered-To: apmail-incubator-flex-dev-archive@incubator.apache.org Received: (qmail 78031 invoked by uid 500); 10 Sep 2012 09:38:10 -0000 Mailing-List: contact flex-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: flex-dev@incubator.apache.org Delivered-To: mailing list flex-dev@incubator.apache.org Received: (qmail 77731 invoked by uid 99); 10 Sep 2012 09:38:09 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 10 Sep 2012 09:38:09 +0000 Date: Mon, 10 Sep 2012 20:38:09 +1100 (NCT) From: "Bertrand Delacretaz (JIRA)" To: flex-dev@incubator.apache.org Message-ID: <165669804.56955.1347269889485.JavaMail.jiratomcat@arcas> In-Reply-To: <265979251.56886.1347267907685.JavaMail.jiratomcat@arcas> Subject: [jira] [Commented] (FLEX-33195) InstallApacheFlex mechanism to check digests on downloaded files MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/FLEX-33195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451849#comment-13451849 ] Bertrand Delacretaz commented on FLEX-33195: -------------------------------------------- Thanks - so IIUC that code makes sure md5 digests are downloaded from https://www.apache.org/dist/, and compares them with the actual md5 of the downloaded file. My knowledge of Flex is very limited, but looking at src/InstallApacheFlex.mxml it seems like a single instance of that MD5CompareUtil class is used for all verifications, and the MD5CompareUtil.verifyMD5 method stores state in that instance's variables. Assuming the downloads run asynchronously, is that robust? Shouldn't each download use its own MD5CompareUtil instance? > InstallApacheFlex mechanism to check digests on downloaded files > ---------------------------------------------------------------- > > Key: FLEX-33195 > URL: https://issues.apache.org/jira/browse/FLEX-33195 > Project: Apache Flex > Issue Type: Sub-task > Components: InstallApacheFlex > Reporter: Bertrand Delacretaz > Assignee: Erik de Bruin > Priority: Minor > Fix For: InstalApacheFlex 1.0 > > > In FLEX-33188, Om writes that the installer does check md5 digests of the files that it downloads. > IMO this mechanism must be documented here, so that PPMC members can verify it - best is probably to add a link here to the code in question (under http://svn.apache.org/repos/asf/incubator/flex/ ) and explain if needed. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira