Hi,
FYI ; I updated the 'verification' page.
https://www.apache.org/info/verification
-- section "Checking Hashes" :
This section now has a reference to 'checker.apache.org',
including a form to submit a SHA-1 to the checker.
-- section "Checking Signatures" :
-- Unchanged ;
-- read it ...
-- the first, easy part (check the detached signature) is ok ;
-- the second (not-so-easy) part (Validating Authenticity
of a Key) is entirely impractical : "A good start to
validating a key is by face-to-face communication ..."
Here is a puzzle :
-- look at http://www.staff.science.uu.nl/~penni101/puzzle/
-- prove that 'foo' an authentic ASF artifact
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M [email protected] \_/
---------- Forwarded message ----------
Date: Sun, 25 Mar 2018 14:18:06 +0200 (CEST)
From: Henk P. Penning <[email protected]>
To: ComDev <[email protected]>
Cc: Users <[email protected]>
Subject: Re: Updated checksum policy doc update
On Sat, 24 Mar 2018, Christopher wrote:
Date: Sat, 24 Mar 2018 21:16:04 +0100
From: Christopher <[email protected]>
To: ComDev <[email protected]>
Cc: Users <[email protected]>
Subject: Updated checksum policy doc update
The recently updated checksum policy from infra means more people should be
using tools like sha512sum or shasum (or even sha1sum) instead of md5sum,
but the instructions for users to verify releases:
https://www.apache.org/info/verification only mention md5sum tools. They
should be updated to include mention of tools for checking SHA-1 and SHA-2
hashes. This page is so old and out of date, that it even still mentions
textutils, which was rolled into coreutils 15 years ago.
I'm not sure who can update this page, but it definitely needs some
attention. Otherwise, projects will have to provide their own, possibly
inconsistent, verification instructions (rather than link to this page, as
many do now).
Hi,
I fixed up https://www.apache.org/info/verification a little,
regarding "Checking Hashes" ; it is still impractical.
I would rather refer people to
https://checker.apache.org/dist/verify.html
See for examples (click left ; click right) :
https://checker.apache.org/#META-files
Regards,
Henk Penning
------------------------------------------------------------ _
Henk P. Penning, ICT-beta R Uithof MG-403 _/ \_
Faculty of Science, Utrecht University T +31 30 253 4106 / \_/ \
Leuvenlaan 4, 3584CE Utrecht, NL F +31 30 253 4553 \_/ \_/
http://www.staff.science.uu.nl/~penni101/ M [email protected] \_/
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
