On Fri, May 13, 2016 at 9:18 AM, Nick Dimiduk <ndimi...@apache.org> wrote: > On Thu, May 12, 2016 at 7:03 PM, Sean Busbey <bus...@apache.org> wrote: > >> [1]: >> >> I now realize the issue with using gpg printed md5: the md5 files end up in >> a different format for dist.apache than the md5 files pushed into >> repository.apache. >> the latter match md5sum / md5 -r output. >> >> It's not a big deal, just some added noise in the scripting I use to >> go through checking >> all of the checksum files. >> > > Shall we have a follow-on to HBASE-15738 for using md5sum / md5 -r? Might > as well make it simpler for folks consuming our stuff, and the gnupg format > output is in the mds file for those who prefer that. > >
Maybe. So we'd essentially say something like "this is how you verify using only gpg for signatures and for a couple of example hash algos" and then a different "this is how you verify using md5sum"? I dunno if it's worth having two verification instructions for downloads just so verification of RCs is slightly simpler, since hopefully the former is much more common than the latter.