Hello Daniel, good idea. If there is a standard on publishing this kind of hash values, I did not notice it before.
Just one comment about the hash algorithms, if we introduce it now, we should not publish MD5 and SHA1 values anymore. There are now practically broken (MD5 since several years, SHA1 since 2019). Cheers, Henning -- Henning Westerholt – https://skalatan.de/blog/ Kamailio services – https://gilawa.com -----Original Message----- From: sr-users <[email protected]> On Behalf Of Daniel-Constantin Mierla Sent: Wednesday, July 29, 2020 5:04 PM To: Kamailio (SER) - Users Mailing List <[email protected]> Subject: [SR-Users] publishing hash values for download files of releases Hello, being discussed during the last devel meetings, I published the md5, sha1 and sha256 hash values for the tarballs with sources and i386 binaries we make available for download on kamailio.org on each release -- e.g., for 5.4.0: * https://www.kamailio.org/pub/kamailio/5.4.0/src/ * https://www.kamailio.org/pub/kamailio/5.4.0/bin/ Before making a more official announcement about it and adding to the download/install docs, I want to discuss a little bit here and get to the right solution to publish these hash values. For the moment I put them in a single file, adding -checksums.txt to the tarball name, listing inside all 3 hashes as computed by md5sum, sha1sum and sha256sum. That because I couldn't decide alone if there is sort of a standard on how to do it. Couple of projects I checked they just list the hash values on the html page with the link to download file. Others have dedicated files per hashing type, named like MD5SUMS, SHA1SUMS and SHA256SUMS, containing hash values for all downloadable files in the folder. Then, asterisk projects publishes 3 files, asterisk-VERSION.{md5,sha1,sha256}, corresponding to the tar.gz file they made available. Freeswitch publishes more than one archive file type, so it makes available files like freeswitch-VERSION.EXT.{md5,sha1,sha256}, where EXT can be tar.gz, tar.xz, zip ... My questions now. What kind of files with hash values people here are used with? Any variants that tends to be (or become the standard)? Any tools you are aware of for automatically checking the integrity with one of these specific hash files (like, if I have the tarball and the hashes file in the same folder and run it, it gives the ok/not-ok, without me having to do md5/sha1/sha256 manually and check "by eye" the values)? Cheers, Daniel -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users _______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
