Re: md5 checksum formats on BSD

2004-08-12 Thread Stefan Bodewig
On Wed, 11 Aug 2004, Mark R. Diggory [EMAIL PROTECTED]
wrote:

 In the larger community the BSD default format is refered to as SVF
 (Simple File Verification) and the GNU md5sum format as MD5SUM, I
 suspect it would be good to see these as output features/options
 that could be set within Ant and Maven to allow developers to choose
 the md5 output format one would like to use. Yes, I do believe this
 would be an excellent feature enhancement to these tools.

Absolutely agreed.

http://issues.apache.org/bugzilla/show_bug.cgi?id=16539

I'm sure that patches (with unit tests, of course) would be welcome.

Stefan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



Re: md5 checksum formats on BSD

2004-08-11 Thread Mark R. Diggory
Both Maven and Ant only insert only the checksum into the file. I 
believe they resolve the location of the actual source file from the 
name of the checksum file, which forces all checksum files to reside in 
the same directory as thier source files.

This represents a problem if you want verify the generated checksum on 
*nix or BSD using md5sum or cksum as these tools require the file path 
(relative to the md5) to actually be present in the md5 file and I do 
not believe there is any way around this.

-Mark
Martin Cooper wrote:
Do you happen to know which flavour Ant creates? For Struts releases,
the Ant build file generates the MD5 files using the checksum task.
That seems like a pretty obvious way to generate them for any project
that uses Ant, but the task doesn't appear to have any switch for
determining flavour (and the docs don't appear to say anything about
different flavours of MD5).
--
Martin Cooper
On Wed, 11 Aug 2004 13:06:00 -0400, Mark R. Diggory
[EMAIL PROTECTED] wrote:
 

A subject came up on the Tomcat developers list which we thought should
be shared with the whole community.
Specifically, it was found that BSD's default md5 format is not parsable
by some external programs that clients are using to verify the integrity
of our downloads.
While we thought this not mission critical, we did think it wise that
we should begin making the following recommendation when creating md5
signatures for files.
We discovered there is a -r option which makes BSD md5 generate md5
signature format that is the same as that of GNU's md5sum, a more
prevalent tool for generating checksums of files.
We also found that on BSD, cksum is comparable to to GNU's md5sum
--check functionality and that it works on both the BSD and GNU file
format.
Our recommendation is that Apache should be signing with the more
prevalent GNU formated output so that other file integrity software
available on platforms other than BSD can verify the file integrity more
easily. This is simply accomplished by adding the -r option
For Example:
%md5 -r foo.bar  foo.bar.md5
We should remember that md5 signatures are for the public to verify the
integrity of our software package distributions. Making sure that
everyone can verify our file integrity is probably more important than
maintaining a platform specific format because it is the default for the
OS these were generated on.
-Mark Diggory
Mark R. Diggory wrote:
   

For example here are the outputs of the various signing tools we use at
this time:
BSD md5:
 md5 commons-collections-3.1.jar
MD5 (commons-collections-3.1.jar) = d1dcb0fbee884bb855bb327b8190af36
while the GNU md5 script generates the following:
[EMAIL PROTECTED] jars]$ md5sum commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36  commons-collections-3.1.jar
And maven just generates and uses:
d1dcb0fbee884bb855bb327b8190af36
Yes, the nice thing about BSD md5 is that the -r can be used to make it
look like the GNU md5sum output, it would probably be good if we started
to use this as it will be more prevalent and possibly is the closest one
can get to a standard:
 md5 -r commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36 commons-collections-3.1.jar
Mark R. Diggory wrote:
 

This is the md5 output generated by BSD md5 and not necessarily a
standard, GNU md5sum generates a different format that is not
standard as well. For maven, just the checksum portion of the
content is stored in the file.
It would be nice if there was a standard in this area, but I have yet
to see one in the internet community. We have the same problem with
generating md5 checksums for the maven repository at the moment.
-Mark
Shapira, Yoav wrote:
   

Hi,
The format I use for MD5 sums is the standard one.  Every other project
I know uses this format, so I think if anything this user needs to
adjust his preferences ;)  However, if there's a standard or spec
somewhere that mandates we use md5 -r (reverse output format), then
sure, someone point me to it and I'll follow that spec when signing
releases.
Yoav Shapira
Millennium Research Informatics

 

-Original Message-
From: jean-frederic clere [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 10, 2004 5:26 AM
To: Tomcat Developers List
Subject: Re: Fwd: md5 sums for jakarta downloads
Pier Fumagalli wrote:
   

Begin forwarded message:
 

From: Andy Mudrak [EMAIL PROTECTED]
Date: 10 August 2004 00:57:44 BST
To: [EMAIL PROTECTED]
Subject: md5 sums for jakarta downloads
Hi,

I noticed that your MD5 sums on your website are not all formatted
correctly.  I specifically downloaded the Tomcat 5.0.27 MD5 file,
   

and
 

found this out.  Not that it's a big deal or anything like that, but
it'd be good to have the MD5 properly formatted, that is the MD5 sum
and then the file name...
   

I am not sure that is a good idea:
+++
-bash-2.05b$ openssl md5  toto
MD5(toto)= efd6b079984c77cd80254ff266e9ab43
+++
And looking in the Jakarta 

Re: md5 checksum formats on BSD

2004-08-11 Thread Mark R. Diggory
Excuse the cross post, I wanted to get this out to the Ant and Maven 
lists as well.

In the larger community the BSD default format is refered to as SVF 
(Simple File Verification) and the GNU md5sum format as MD5SUM, I 
suspect it would be good to see these as output features/options that 
could be set within Ant and Maven to allow developers to choose the md5 
output format one would like to use. Yes, I do believe this would be an 
excellent feature enhancement to these tools.

-Mark
Mark R. Diggory wrote:
Both Maven and Ant only insert only the checksum into the file. I 
believe they resolve the location of the actual source file from the 
name of the checksum file, which forces all checksum files to reside 
in the same directory as thier source files.

This represents a problem if you want verify the generated checksum on 
*nix or BSD using md5sum or cksum as these tools require the file path 
(relative to the md5) to actually be present in the md5 file and I do 
not believe there is any way around this.

-Mark
Martin Cooper wrote:
Do you happen to know which flavour Ant creates? For Struts releases,
the Ant build file generates the MD5 files using the checksum task.
That seems like a pretty obvious way to generate them for any project
that uses Ant, but the task doesn't appear to have any switch for
determining flavour (and the docs don't appear to say anything about
different flavours of MD5).
--
Martin Cooper
On Wed, 11 Aug 2004 13:06:00 -0400, Mark R. Diggory
[EMAIL PROTECTED] wrote:
 

A subject came up on the Tomcat developers list which we thought should
be shared with the whole community.
Specifically, it was found that BSD's default md5 format is not 
parsable
by some external programs that clients are using to verify the 
integrity
of our downloads.

While we thought this not mission critical, we did think it wise that
we should begin making the following recommendation when creating md5
signatures for files.
We discovered there is a -r option which makes BSD md5 generate md5
signature format that is the same as that of GNU's md5sum, a more
prevalent tool for generating checksums of files.
We also found that on BSD, cksum is comparable to to GNU's md5sum
--check functionality and that it works on both the BSD and GNU file
format.
Our recommendation is that Apache should be signing with the more
prevalent GNU formated output so that other file integrity software
available on platforms other than BSD can verify the file integrity 
more
easily. This is simply accomplished by adding the -r option

For Example:
%md5 -r foo.bar  foo.bar.md5
We should remember that md5 signatures are for the public to verify the
integrity of our software package distributions. Making sure that
everyone can verify our file integrity is probably more important 
than
maintaining a platform specific format because it is the default for 
the
OS these were generated on.

-Mark Diggory
Mark R. Diggory wrote:
  

For example here are the outputs of the various signing tools we 
use at
this time:

BSD md5:
 md5 commons-collections-3.1.jar
MD5 (commons-collections-3.1.jar) = d1dcb0fbee884bb855bb327b8190af36
while the GNU md5 script generates the following:
[EMAIL PROTECTED] jars]$ md5sum commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36  commons-collections-3.1.jar
And maven just generates and uses:
d1dcb0fbee884bb855bb327b8190af36
Yes, the nice thing about BSD md5 is that the -r can be used to 
make it
look like the GNU md5sum output, it would probably be good if we 
started
to use this as it will be more prevalent and possibly is the 
closest one
can get to a standard:

 md5 -r commons-collections-3.1.jar
d1dcb0fbee884bb855bb327b8190af36 commons-collections-3.1.jar
Mark R. Diggory wrote:


This is the md5 output generated by BSD md5 and not necessarily a
standard, GNU md5sum generates a different format that is not
standard as well. For maven, just the checksum portion of the
content is stored in the file.
It would be nice if there was a standard in this area, but I have yet
to see one in the internet community. We have the same problem with
generating md5 checksums for the maven repository at the moment.
-Mark
Shapira, Yoav wrote:
  

Hi,
The format I use for MD5 sums is the standard one.  Every other 
project
I know uses this format, so I think if anything this user needs to
adjust his preferences ;)  However, if there's a standard or spec
somewhere that mandates we use md5 -r (reverse output format), then
sure, someone point me to it and I'll follow that spec when signing
releases.

Yoav Shapira
Millennium Research Informatics



-Original Message-
From: jean-frederic clere 
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 10, 2004 5:26 AM
To: Tomcat Developers List
Subject: Re: Fwd: md5 sums for jakarta downloads

Pier Fumagalli wrote:
  

Begin forwarded message:


From: Andy Mudrak [EMAIL PROTECTED]
Date: 10 August 2004 00:57:44 BST
To: [EMAIL PROTECTED]
Subject: 

Re: md5 checksum formats on BSD

2004-08-11 Thread Martin Cooper
Do you happen to know which flavour Ant creates? For Struts releases,
the Ant build file generates the MD5 files using the checksum task.
That seems like a pretty obvious way to generate them for any project
that uses Ant, but the task doesn't appear to have any switch for
determining flavour (and the docs don't appear to say anything about
different flavours of MD5).

--
Martin Cooper


On Wed, 11 Aug 2004 13:06:00 -0400, Mark R. Diggory
[EMAIL PROTECTED] wrote:
 A subject came up on the Tomcat developers list which we thought should
 be shared with the whole community.
 
 Specifically, it was found that BSD's default md5 format is not parsable
 by some external programs that clients are using to verify the integrity
 of our downloads.
 
 While we thought this not mission critical, we did think it wise that
 we should begin making the following recommendation when creating md5
 signatures for files.
 
 We discovered there is a -r option which makes BSD md5 generate md5
 signature format that is the same as that of GNU's md5sum, a more
 prevalent tool for generating checksums of files.
 
 We also found that on BSD, cksum is comparable to to GNU's md5sum
 --check functionality and that it works on both the BSD and GNU file
 format.
 
 Our recommendation is that Apache should be signing with the more
 prevalent GNU formated output so that other file integrity software
 available on platforms other than BSD can verify the file integrity more
 easily. This is simply accomplished by adding the -r option
 
 For Example:
 %md5 -r foo.bar  foo.bar.md5
 
 We should remember that md5 signatures are for the public to verify the
 integrity of our software package distributions. Making sure that
 everyone can verify our file integrity is probably more important than
 maintaining a platform specific format because it is the default for the
 OS these were generated on.
 
 -Mark Diggory
 
 Mark R. Diggory wrote:
  For example here are the outputs of the various signing tools we use at
  this time:
 
  BSD md5:
 
md5 commons-collections-3.1.jar
  MD5 (commons-collections-3.1.jar) = d1dcb0fbee884bb855bb327b8190af36
 
  while the GNU md5 script generates the following:
 
  [EMAIL PROTECTED] jars]$ md5sum commons-collections-3.1.jar
  d1dcb0fbee884bb855bb327b8190af36  commons-collections-3.1.jar
 
  And maven just generates and uses:
  d1dcb0fbee884bb855bb327b8190af36
 
  Yes, the nice thing about BSD md5 is that the -r can be used to make it
  look like the GNU md5sum output, it would probably be good if we started
  to use this as it will be more prevalent and possibly is the closest one
  can get to a standard:
 
md5 -r commons-collections-3.1.jar
  d1dcb0fbee884bb855bb327b8190af36 commons-collections-3.1.jar
 
 
  Mark R. Diggory wrote:
 
  This is the md5 output generated by BSD md5 and not necessarily a
  standard, GNU md5sum generates a different format that is not
  standard as well. For maven, just the checksum portion of the
  content is stored in the file.
 
  It would be nice if there was a standard in this area, but I have yet
  to see one in the internet community. We have the same problem with
  generating md5 checksums for the maven repository at the moment.
 
  -Mark
 
  Shapira, Yoav wrote:
 
  Hi,
  The format I use for MD5 sums is the standard one.  Every other project
  I know uses this format, so I think if anything this user needs to
  adjust his preferences ;)  However, if there's a standard or spec
  somewhere that mandates we use md5 -r (reverse output format), then
  sure, someone point me to it and I'll follow that spec when signing
  releases.
 
  Yoav Shapira
  Millennium Research Informatics
 
 
 
  -Original Message-
  From: jean-frederic clere [mailto:[EMAIL PROTECTED]
  Sent: Tuesday, August 10, 2004 5:26 AM
  To: Tomcat Developers List
  Subject: Re: Fwd: md5 sums for jakarta downloads
 
  Pier Fumagalli wrote:
 
 
  Begin forwarded message:
 
 
  From: Andy Mudrak [EMAIL PROTECTED]
  Date: 10 August 2004 00:57:44 BST
  To: [EMAIL PROTECTED]
  Subject: md5 sums for jakarta downloads
 
  Hi,
 
 
 
  I noticed that your MD5 sums on your website are not all formatted
  correctly.  I specifically downloaded the Tomcat 5.0.27 MD5 file,
 
 
 
  and
 
  found this out.  Not that it's a big deal or anything like that, but
  it'd be good to have the MD5 properly formatted, that is the MD5 sum
  and then the file name...
 
 
 
  I am not sure that is a good idea:
  +++
  -bash-2.05b$ openssl md5  toto
  MD5(toto)= efd6b079984c77cd80254ff266e9ab43
  +++
 
  And looking in the Jakarta Binary downloads I have found that a lot
 
 
 
  of
 
  other
  MD5 file are using the Tomcat format.
 
 
 
 
  Thanks,
 
 
 
  Andy Mudrak
 
  [EMAIL PROTECTED]
 
 
 
 
 
 
 
  -
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 
 
 
 
  

Re: md5 checksum formats on BSD

2004-08-11 Thread Stefan Bodewig
On Wed, 11 Aug 2004, Martin Cooper [EMAIL PROTECTED] wrote:

 Do you happen to know which flavour Ant creates?

Ant only inserts the checksum itself into a file which is different
from either format AFAIK.

There've been plans to make the format pluggable, but noone stepped up
to code it yet (it would be trivial, but there's obviously not been
too much pressure).

Stefan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]