syncope-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Francesco Chicchiriccò (JIRA) <j...@apache.org>
Subject [jira] [Closed] (SYNCOPE-1330) MD5 should no longer be provided on download pages
Date Mon, 02 Jul 2018 09:49:00 GMT

     [ https://issues.apache.org/jira/browse/SYNCOPE-1330?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Francesco Chicchiriccò closed SYNCOPE-1330.
-------------------------------------------
    Resolution: Fixed

MD5 refs removed from downloads and release-process pages (to avoid future issues)
Signature and hash verification adjusted using CXF as template

The updated pages will be published along with next release.

> MD5 should no longer be provided on download pages
> --------------------------------------------------
>
>                 Key: SYNCOPE-1330
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1330
>             Project: Syncope
>          Issue Type: Bug
>         Environment: http://syncope.apache.org/downloads.html
>            Reporter: Sebb
>            Assignee: Francesco Chicchiriccò
>            Priority: Major
>
> The use of MD5 hashes on download pages was deprecated recently
> https://www.apache.org/dev/release-distribution#sigs-and-sums
> MD5 hashes should no longer be generated or linked from the download page.
> [They are only OK for historic releases that don't have other hashes]
> Also there is no point asking users to check both the signature and the hash.
> The signature should be checked; if that is not possible, check the hash.
> Further, the GPG example needs to include the file name as well, e.g.
> gpg --verify syncope-*.zip.asc syncope-*.zip
> [However using "*" to represent the variable part of a file name is not ideal]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message