Well there you go. Those instructions seem to be linked to now instead of previous content which were not on infra.apache.org but elsewhere, although they are themselves clearly still not that up to date given the references to MD5 in the wider leadup section, with GPG being the third suggestion there on how to generate a checksum.
I dont see any instructions on suggesting how you are meant to verify the .sha512 output from GPG, so I guess perhaps I'd also use GPG to create another similar file (after knowing thats what created it; I expect many might not) and then diff the two. Or just eyeball the output of some other tool, which is again quite annoying due to the format. The new approach is easier to eyeball compare, though still different enough to be annoying. Not a patch on the typical format. There have been many ways to get the various shaXsum programs on Windows too over the years such as cygwin, git bash, etc, whereas today I would imagine actually just using the Linux version via WSL is likely the simplest option for many. Though I'm not suggesting you actually need to do any of those. Just having the checksum file in a similar format that people can more easily verify. (Though you could always do something like spin up a GHA etc build and have it grab and verify the existing files and create a replacement output, then manually verify that by comparison the same way an actual user might need to with just the ugly one). Ultimately it is a sha512 checksum, its just one thats a less typical format and so more difficult to use for its intended purpose. Maybe thats why many might seem to have not bothered. Robbie On Tue, 13 Jul 2021 at 16:06, Havret <[email protected]> wrote: > > Hi Robbie, > > Thanks for the hint regarding this "rat" thingy. I'll give it a try. > > Regarding sha, I've always been following this instruction --> > https://infra.apache.org/release-signing.html to generate sha for my > releases. This command to be precise: > $ gpg --print-md SHA512 [fileName] > [fileName].sha512 > I'm guessing that sha512sum is some Linux based tool that you're guys > using. Unfortunately it is not available on Windows. :( > > KP > > > On Tue, Jul 13, 2021 at 3:15 PM Robbie Gemmell <[email protected]> > wrote: > > > See https://creadur.apache.org/rat/ for licence check tooling. > > > > I noted the checksum format wasn't typical one as I've never seen it > > used in a release before. The checkum being split into subsections and > > formatted in an uppercase multi line grid, and so doesnt work with e.g > > sha512sum, and also isnt so easily verified by eye either as a result. > > It sounds from your new description like you generated it with gpg > > originally, which is typically only used for the signatures. Perhaps > > gpg is able to verify the checksum files directly too, but I've also > > not seen instructions suggesting that before and so still wouldnt > > currently know how to do that without having a dig. > > > > The 'typical formats' I referred to previously are either the related > > filename and its basic checksum formatted on a line as e.g generated > > by sha512sum etc and easily verified by the same, or simply the basic > > checksum alone which can at least be eyeballed against a similar value > > generated by most things (though again, quite awkward with the gpg > > grid format one). > > > > Robbie > > > > On Tue, 13 Jul 2021 at 12:06, Havret <[email protected]> wrote: > > > > > > Hi Tim, > > > > > > I used the official recommended tooling to generate SHA the first time, > > but > > > Robbie compiled that the format was wrong. I don't know what else I can > > do. > > > > > > Regarding the missing headers, do you have any tooling (or script) that > > > could help me with scanning the files beforehand, so I don't have to > > > manually go through every single file? Maybe this kind of check should be > > > included in the CI pipeline? > > > > > > Thanks, > > > KP > > > > > > On Thu, Jul 8, 2021 at 5:30 PM Timothy Bish <[email protected]> wrote: > > > > > > > On 6/27/21 4:49 PM, Havret wrote: > > > > > Hi, > > > > > > > > > > This is the second run for activemq-nms-amqp 1.8.2. > > > > > > > > > > I've added the missing headers, updated the license files, and > > generated > > > > > SHA512 using powershell not gpg, so it should be more in line with > > what > > > > you > > > > > guys are used to. > > > > > > > > > > The files can be grabbed from: > > > > > > > > > > > https://dist.apache.org/repos/dist/dev/activemq/activemq-nms-amqp/1.8.2-rc2/ > > > > > > > > > > Please check it and vote accordingly. > > > > > > > > > > Regards, > > > > > KP > > > > > > > > > +0 > > > > > > > > There still appear to be some missing license headers in test code > > such as: > > > > > > > > ./test/Apache-NMS-AMQP-Interop-Test/NmsSessionTest.cs > > > > > > > > And I cannot get the sha files to validate using standard tooling > > > > without hand editing the files as they don't see to follow normal file > > > > formatting that's expected by the tooling as documented on the Apache > > > > release validation guidelines. > > > > > > > > -- > > > > Tim Bish > > > > > > > > > >
