Hello, On 29.07.20 17:13, Henning Westerholt wrote: > Hello Daniel, > > good idea. If there is a standard on publishing this kind of hash values, I > did not notice it before. > > Just one comment about the hash algorithms, if we introduce it now, we should > not publish MD5 and SHA1 values anymore. There are now practically broken > (MD5 since several years, SHA1 since 2019).
since many projects are still publishing md5 and sha1, I thought there are tools that can check all three at once ... if not, we can skip generating them. Cheers, Daniel > > Cheers, > > Henning > > -- > Henning Westerholt – https://skalatan.de/blog/ > Kamailio services – https://gilawa.com > > -----Original Message----- > From: sr-users <[email protected]> On Behalf Of > Daniel-Constantin Mierla > Sent: Wednesday, July 29, 2020 5:04 PM > To: Kamailio (SER) - Users Mailing List <[email protected]> > Subject: [SR-Users] publishing hash values for download files of releases > > Hello, > > being discussed during the last devel meetings, I published the md5, > sha1 and sha256 hash values for the tarballs with sources and i386 binaries > we make available for download on kamailio.org on each release > -- e.g., for 5.4.0: > > * https://www.kamailio.org/pub/kamailio/5.4.0/src/ > > * https://www.kamailio.org/pub/kamailio/5.4.0/bin/ > > Before making a more official announcement about it and adding to the > download/install docs, I want to discuss a little bit here and get to the > right solution to publish these hash values. For the moment I put them in a > single file, adding -checksums.txt to the tarball name, listing inside all 3 > hashes as computed by md5sum, sha1sum and sha256sum. > > That because I couldn't decide alone if there is sort of a standard on how to > do it. > > Couple of projects I checked they just list the hash values on the html page > with the link to download file. Others have dedicated files per hashing type, > named like MD5SUMS, SHA1SUMS and SHA256SUMS, containing hash values for all > downloadable files in the folder. > > Then, asterisk projects publishes 3 files, > asterisk-VERSION.{md5,sha1,sha256}, corresponding to the tar.gz file they > made available. Freeswitch publishes more than one archive file type, so it > makes available files like freeswitch-VERSION.EXT.{md5,sha1,sha256}, where > EXT can be tar.gz, tar.xz, zip ... > > My questions now. What kind of files with hash values people here are used > with? Any variants that tends to be (or become the standard)? > > Any tools you are aware of for automatically checking the integrity with one > of these specific hash files (like, if I have the tarball and the hashes file > in the same folder and run it, it gives the ok/not-ok, without me having to > do md5/sha1/sha256 manually and check "by eye" the values)? > > Cheers, > Daniel > > -- > Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- > www.linkedin.com/in/miconda > Funding: https://www.paypal.me/dcmierla > > > _______________________________________________ > Kamailio (SER) - Users Mailing List > [email protected] > https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users -- Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda Funding: https://www.paypal.me/dcmierla _______________________________________________ Kamailio (SER) - Users Mailing List [email protected] https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
