A subject came up on the Tomcat developers list which we thought should
be shared with the whole community.

Specifically, it was found that BSD's default md5 format is not parsable
by some external programs that clients are using to verify the integrity
of our downloads.

While we thought this not "mission critical", we did think it wise that
we should begin making the following recommendation when creating md5
signatures for files.

We discovered there is a "-r" option which makes BSD md5 generate md5
signature format that is the same as that of GNU's md5sum, a more
prevalent tool for generating checksums of files.

We also found that on BSD, "cksum" is comparable to to GNU's "md5sum
--check" functionality and that it works on both the BSD and GNU file

Our recommendation is that Apache should be signing with the more
prevalent GNU formated output so that other file integrity software
available on platforms other than BSD can verify the file integrity more
easily. This is simply accomplished by adding the -r option

For Example:
%md5 -r foo.bar > foo.bar.md5

We should remember that md5 signatures are for the public to verify the
integrity of our software package distributions. Making sure that "everyone" can verify our file integrity is probably more important than maintaining a platform specific format because it is the default for the OS these were generated on.

-Mark Diggory

Mark R. Diggory wrote:
For example here are the outputs of the various signing tools we use at this time:

BSD md5:

 > md5 commons-collections-3.1.jar
MD5 (commons-collections-3.1.jar) = d1dcb0fbee884bb855bb327b8190af36

while the GNU md5 script generates the following:

[EMAIL PROTECTED] jars]$ md5sum commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36  commons-collections-3.1.jar

And maven just generates and uses:

Yes, the nice thing about BSD md5 is that the -r can be used to make it look like the GNU md5sum output, it would probably be good if we started to use this as it will be more prevalent and possibly is the closest one can get to a standard:

 > md5 -r commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36 commons-collections-3.1.jar

Mark R. Diggory wrote:

This is the md5 output generated by BSD md5 and not necessarily a "standard", GNU md5sum generates a different format that is not "standard" as well. For maven, just the checksum portion of the content is stored in the file.

It would be nice if there was a standard in this area, but I have yet to see one in the internet community. We have the same problem with generating md5 checksums for the maven repository at the moment.


Shapira, Yoav wrote:

The format I use for MD5 sums is the standard one.  Every other project
I know uses this format, so I think if anything this user needs to
adjust his preferences ;)  However, if there's a standard or spec
somewhere that mandates we use md5 -r (reverse output format), then
sure, someone point me to it and I'll follow that spec when signing

Yoav Shapira
Millennium Research Informatics

-----Original Message-----
From: jean-frederic clere [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 10, 2004 5:26 AM
To: Tomcat Developers List
Subject: Re: Fwd: md5 sums for jakarta downloads

Pier Fumagalli wrote:

Begin forwarded message:

From: Andy Mudrak <[EMAIL PROTECTED]>
Date: 10 August 2004 00:57:44 BST
Subject: md5 sums for jakarta downloads


I noticed that your MD5 sums on your website are not all formatted
correctly.  I specifically downloaded the Tomcat 5.0.27 MD5 file,


found this out.  Not that it's a big deal or anything like that, but
it'd be good to have the MD5 properly formatted, that is the MD5 sum
and then the file name...

I am not sure that is a good idea: +++ -bash-2.05b$ openssl md5 toto MD5(toto)= efd6b079984c77cd80254ff266e9ab43 +++

And looking in the Jakarta "Binary downloads" I have found that a lot


MD5 file are using the Tomcat format.


Andy Mudrak


--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

-- Mark Diggory Software Developer Harvard MIT Data Center http://www.hmdc.harvard.edu

--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to