incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [VOTE] Approve release Apache UIMA 2.2.1-incubating
Date Mon, 17 Dec 2007 12:25:49 GMT
On 17/12/2007, Thilo Goetz <twgoetz@gmx.de> wrote:
> sebb wrote:
> > [Eventually found the KEYS file in SVN, but it might be helpful to
> > provide a pointer in the vote mails]
>
> Good point, will do next time.
>
> [...]
> >
> > There are some problems with the MD5 and SHA1 files.
> >
> > For example, uimaj-2.2.1-incubating-bin.tar.bz2.md5:
> >
> > ================
> > uimaj-2.2.1-incubating-bin.tar.bz2: 53 20 6A FB 75 1F 07 9D  BB 12 82 58 D0 7D
> >                                     CA 4B
> > ================
> >
> > The hash is spread over two lines and into hex pairs. The normal
> > format is either:
> > 53206afb751f079dbb128258d07dca4b
> > or
> > 53206afb751f079dbb128258d07dca4b *uimaj-2.2.1-incubating-bin.tar.bz2
> >
> > The SHA1 checksums have the same problem.
> >
> > The PGP signatures are OK, however the format of the existing MD5/SHA1
> > files means that most (all?) checking programs will have difficulty
> > verifying the checksums.
>
> We generate the checksums with
>
> gpg --print-md MD5 [fileName] > [fileName].md5
>
> and
>
> gpg --print-md SHA1 [fileName] > [fileName].sha
>
> respectively (as described in the release signing FAQ; however,
> I suggested that text ;-).  The advantage of using gpg is that
> you just need one tool for the various signatures.  If there
> are alternatives, we'll be happy to entertain them (we use maven
> as our build env).

Maven can generate the MD5 and SHA1 checksums itself; no need for a
separate tool.

I'm not familiar with Maven, so I don't know the commands off-hand,
but I can probably find them.

> Can you elaborate on what checking programs are commonly used?

The programs for checking MD5s are referenced from a lot of download
pages, for example:

http://xerces.apache.org/xerces-c/download.cgi
and
http://myfaces.apache.org/download.html

All of these expect checksums which are a single string of hex digits.

> It was my understanding that the primary signing mechanisms were
> the PGP signatures, and the checksums were just for quick sanity
> checks (visual verification, as they are so short).  Thanks.

Yes, PGP sigs are the primary signing mechanisms. MD5 and SHA1 are not
as secure. However they are still useful, particularly for checking
that the files have been downloaded successfully. To that end, having
a format that can be automatically checked is essential.

> --Thilo
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org


Mime
View raw message