Valient Gough wrote:
From page: http://mina.apache.org/downloads.html
mina-1.1.7 and mina-2.0.0-m1 files do not match md5, sha1, or gpg signatures!
I tested mina-1.1.7.zip , mina-1.1.7.tar.bz2, and
mina-2.0.0-M1.tar.bz2, all of which failed checks.
No, you didn't ;)
md5 link: http://www.apache.org/dist/mina/1.1.7/mina-1.1.7.tar.bz2.md5
mina-1.1.7.tar.gz: expected md5 2f83d9adc5212dd8516290b17f1fb43f , got
bd6006f16e46c421160815ce985f5c3d
The expected MD5 sum here appears to be from
http://www.apache.org/dist/mina/1.1.7/mina-1.1.7.tar.bz2.md5.
# links taken directly from http://mina.apache.org/downloads.html
$ wget http://mina.apache.org/dyn/closer.cgi/mina/2.0.0-M1/mina-2.0.0-M1.tar.bz2
$ wget http://www.apache.org/dist/mina/2.0.0-M1/mina-2.0.0-M1.tar.bz2.asc
$ gpg mina-2.0.0-M1.tar.bz2.asc
gpg: Signature made Tue 19 Feb 2008 09:55:41 AM PST using DSA key ID 92E29412
gpg: BAD signature from "Mike Heath <[EMAIL PROTECTED]>"
At least in this case you downloaded the HTML mirror link page instead
of the actual package. Could you post the actual commands you ran for
the other checks too? The link to that .tar.bz2 file generates an HTML
page on which the actual download link is, and at least wget downloads
the HTML page if you give it that URL.
Until fixed, I'm assuming all files are compromised..
I assume that you downloaded the HTML mirror link pages in the other
cases as well, and possibly did some other mistakes as well.
