zookeeper-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Junqueira <fpjunque...@yahoo.com.INVALID>
Subject RE: ASC/SHA1/MD5 data for releases missing since 3.3.2
Date Sun, 03 May 2015 07:39:05 GMT
That's fine as long as it's clear to everyone else. Having a pointer in our site wouldn't hurt
afaict.

-Flavio

-----Original Message-----
From: "Patrick Hunt" <phunt@apache.org>
Sent: ‎5/‎3/‎2015 12:12 AM
To: "UserZooKeeper" <user@zookeeper.apache.org>; "Flavio Junqueira" <fpjunqueira@yahoo.com>
Subject: Re: ASC/SHA1/MD5 data for releases missing since 3.3.2

Did you read this section on the download page?

"Please use the backup mirrors only to download PGP and MD5 signatures
to verify
your downloads <http://www.apache.org/dyn/closer.cgi#verify> or if no other
mirrors are working."

checksums and other files that you download from the mirrors may not be the
originals. I believe that's the concern. I suspect they don't mirror those
files as a result. Scroll down on the page and you'll see the direct (non
mirror) download location - i.e. from Apache directly. Also keep in mind
that md5/sha1/etc... provide no security. Only validate that the xsum of
the original file matches the xsum file. Only the pgp signature ensures it
was truly created by the originator and unchanged thereafter.

Patrick


On Wed, Apr 29, 2015 at 10:49 AM, Flavio Junqueira <
fpjunqueira@yahoo.com.invalid> wrote:

> That's weird, we definitely generate them for the RCs, and I'm quite sure
> were publishing them:
> http://people.apache.org/~fpj/zookeeper-3.4.6-candidate-0/
>
> I'm not sure what's going, and Pat Hunt might know about it. I'll see if I
> can find out more in the meanwhile.
> -Flavio
>
>
>
>      On Wednesday, April 29, 2015 4:13 PM, ralph tice <
> ralph.tice@gmail.com> wrote:
>
>
>
>  Hi,
>
> I was surprised to discover that releases haven't been published with
> MD5/etc signatures since 3.3.2.
>
> Is this an intentional change by the project or an oversight?  Is there an
> alternative method of verifying integrity of releases?
>
> Thanks,
>
> --Ralph
>
>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message