[INSTALLER] can't we make MD5 checking optional

[Erik de Bruin <er...@ixsoftware.nl>]

Hi,

Can't we make MD5 checking optional in the installer? Even downloads
from Apache's website don't force you to check the MD5 sigs of a
download, and it's causing all kinds of problems with downloads
through the installer.

EdB



-- 
Ix Multimedia Software

Jan Luykenstraat 27
3521 VB Utrecht

T. 06-51952295
I. www.ixsoftware.nl

Re: [INSTALLER] can't we make MD5 checking optional

[Bertrand Delacretaz <bd...@apache.org>]

Hi,

On Tue, Dec 16, 2014 at 5:10 PM, Erik de Bruin <er...@ixsoftware.nl> wrote:
> ...Can't we make MD5 checking optional in the installer?...

>From a general Apache point of view, encouraging people to download
binaries without verifying them is very bad.

Giving people the option to shoot themselves in the foot can be ok, as
long as they are adequately warned - so I'd much prefer that you guys
leave the checks turned on by default, and provide a way to disable
them if you want.

BTW md5 cannot be considered safe anymore - there's a nice
illustration of that at
http://natmchugh.blogspot.co.uk/2014/10/how-i-created-two-images-with-same-md5.html

-Bertrand

Re: [INSTALLER] can't we make MD5 checking optional

[Mihai Chira <mi...@gmail.com>]

I think we should keep it at least as a warning. Twice when the md5
check failed on the sdk the sdk hadn't downloaded completely (though
the installer thought it had), so it can still be a useful debugging
tool.

On 16 December 2014 at 16:10, Erik de Bruin <er...@ixsoftware.nl> wrote:
> Hi,
>
> Can't we make MD5 checking optional in the installer? Even downloads
> from Apache's website don't force you to check the MD5 sigs of a
> download, and it's causing all kinds of problems with downloads
> through the installer.
>
> EdB
>
>
>
> --
> Ix Multimedia Software
>
> Jan Luykenstraat 27
> 3521 VB Utrecht
>
> T. 06-51952295
> I. www.ixsoftware.nl

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

On 12/16/14, 8:10 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:

>Hi,
>
>Can't we make MD5 checking optional in the installer? Even downloads
>from Apache's website don't force you to check the MD5 sigs of a
>download, and it's causing all kinds of problems with downloads
>through the installer.

If you get a bad download, the unzip will fail, potentially without a nice
error.  IMO, it isn’t about the MD5 check, for some reason, downloading
via AIR seems to get bad results more often than downloading via
Ant/Browser.  I keep thinking there is a bug in URLLoader.

-Alex

Re: [INSTALLER] can't we make MD5 checking optional

[OmPrakash Muppirala <bi...@gmail.com>]

On Tue, Dec 16, 2014 at 8:10 AM, Erik de Bruin <er...@ixsoftware.nl> wrote:
>
> Hi,
>
> Can't we make MD5 checking optional in the installer? Even downloads
> from Apache's website don't force you to check the MD5 sigs of a
> download, and it's causing all kinds of problems with downloads
> through the installer.
>
>
+1

I have already raised this issue before.  This is turning out to be too
much of a maintenance issue.  I don't think it is sustainable.

Thanks,
Om


> EdB
>
>
>
> --
> Ix Multimedia Software
>
> Jan Luykenstraat 27
> 3521 VB Utrecht
>
> T. 06-51952295
> I. www.ixsoftware.nl
>

Re: [INSTALLER] can't we make MD5 checking optional

[Tom Chiverton <tc...@extravision.com>]

I certainly keep an eye on the CI servers, and finally sorted out access 
the the flex.a.o CMS from work, so can catch them some of the time.

Hopefully all you'll ever see is an email saying "fixed already",
Tom

On 18/12/14 16:48, Alex Harui wrote:
> If someone wants to help keep the MD5s up-to-date in the interim, then the
> window for folks to get false errors will be smaller.

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

To be clear, then the next opportunity we have to make this switch is for
4.15.  The changes are in the Flex SDK install scripts, not in the
Installer.

If someone wants to help keep the MD5s up-to-date in the interim, then the
window for folks to get false errors will be smaller.

-Alex

On 12/18/14, 6:59 AM, "Neil Madsen" <li...@cranialinteractive.com> wrote:

>After the release should be fine. Less moving targets at that point.
>
>-----Original Message-----
>From: Tom Chiverton [mailto:tc@extravision.com]
>Sent: December-18-14 4:05 AM
>To: dev@flex.apache.org
>Subject: Re: [INSTALLER] can't we make MD5 checking optional
>
>I think there is enough going on already, and there's no urgent need ?
>
>Tom
>
>On 16/12/14 19:31, Alex Harui wrote:
>> OK, I'm willing to see a small charge, I just don't want to get hit
>> with a big bill if we do become popular.
>>
>> Anyway, do you want us to take on switching to this for 4.14 or after?
>
>

RE: [INSTALLER] can't we make MD5 checking optional

[Neil Madsen <li...@cranialinteractive.com>]

After the release should be fine. Less moving targets at that point.

-----Original Message-----
From: Tom Chiverton [mailto:tc@extravision.com] 
Sent: December-18-14 4:05 AM
To: dev@flex.apache.org
Subject: Re: [INSTALLER] can't we make MD5 checking optional

I think there is enough going on already, and there's no urgent need ?

Tom

On 16/12/14 19:31, Alex Harui wrote:
> OK, I'm willing to see a small charge, I just don't want to get hit 
> with a big bill if we do become popular.
>
> Anyway, do you want us to take on switching to this for 4.14 or after?

Re: [INSTALLER] can't we make MD5 checking optional

[Tom Chiverton <tc...@extravision.com>]

I think there is enough going on already, and there's no urgent need ?

Tom

On 16/12/14 19:31, Alex Harui wrote:
> OK, I’m willing to see a small charge, I just don’t want to get hit with a
> big bill if we do become popular.
>
> Anyway, do you want us to take on switching to this for 4.14 or after?

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

On 12/16/14, 10:46 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:

>>>A few tiny downloads (that's all we're really talking about, right?)
>>>won't break break the (credits) bank.
>>
>> I don’t think it is a “few”, it is at least two per install times
>>however
>> many installs per month.  If Flex becomes wildly popular, will I end up
>> paying?  The Azure T&C’s also said something about not using the
>>instance
>> for “production”, but I’ve never quite figured out what that meant.
>
>Let's be optimistic and put it at 2kb for 100.000 installs. That would
>still be only 200 Mb. And if you're afraid of breaking the bank, I'll
>gladly take it on my VM, I'm paying a few $ per month to keep Mustella
>going anyway.

OK, I’m willing to see a small charge, I just don’t want to get hit with a
big bill if we do become popular.

Anyway, do you want us to take on switching to this for 4.14 or after?

-Alex

Re: [INSTALLER] can't we make MD5 checking optional

[Erik de Bruin <er...@ixsoftware.nl>]

>>A few tiny downloads (that's all we're really talking about, right?)
>>won't break break the (credits) bank.
>
> I don’t think it is a “few”, it is at least two per install times however
> many installs per month.  If Flex becomes wildly popular, will I end up
> paying?  The Azure T&C’s also said something about not using the instance
> for “production”, but I’ve never quite figured out what that meant.

Let's be optimistic and put it at 2kb for 100.000 installs. That would
still be only 200 Mb. And if you're afraid of breaking the bank, I'll
gladly take it on my VM, I'm paying a few $ per month to keep Mustella
going anyway.

As far as the T&C, we're not making any money off the downloads, so
I'm pretty sure that means we're not 'in production'.

EdB



-- 
Ix Multimedia Software

Jan Luykenstraat 27
3521 VB Utrecht

T. 06-51952295
I. www.ixsoftware.nl

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

On 12/16/14, 9:52 AM, "Erik de Bruin" <er...@ixsoftware.nl> wrote:


>A few tiny downloads (that's all we're really talking about, right?)
>won't break break the (credits) bank.

I don’t think it is a “few”, it is at least two per install times however
many installs per month.  If Flex becomes wildly popular, will I end up
paying?  The Azure T&C’s also said something about not using the instance
for “production”, but I’ve never quite figured out what that meant.

-Alex

Re: [INSTALLER] can't we make MD5 checking optional

[Erik de Bruin <er...@ixsoftware.nl>]

> I’m just wondering if there are restrictions on using the free Azure
> instance for this kind of thing and how much bandwidth it will turn out to
> be.  If I could find another server to store the MD5s on that would be
> preferred.

The Azure instances are not free. You just pay for them with the
credits they give you, until those run out and then your creditCARD
kicks in ;-)

A few tiny downloads (that's all we're really talking about, right?)
won't break break the (credits) bank.

EdB



-- 
Ix Multimedia Software

Jan Luykenstraat 27
3521 VB Utrecht

T. 06-51952295
I. www.ixsoftware.nl

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

On 12/16/14, 8:50 AM, "OmPrakash Muppirala" <bi...@gmail.com> wrote:

>On Dec 16, 2014 8:43 AM, "Alex Harui" <ah...@adobe.com> wrote:
>>
>> IMO, there are two issues:
>>
>> 1) Adobe keeps updating the downloads and we get out of sync and there
>>are
>> failures until we get synced up
>> 2) Folks using the installer seem to get bad downloads more often than
>> using Ant/Browser.
>>
>> For 1), I’ve been pondering having MD5 checker leave .md5 files on the
>>CI
>> server or somewhere that doesn’t require SVNPUBSUB and updating the
>> installer scripts to fetch from there.  Not sure if there the bandwidth
>> costs will be significant or not.  But then, if MD5 checker runs hourly
>> (which it currently does) or even more frequently, we’ll only get out of
>> sync for a little while.
>
>+1
>We could link directly to the generated md5 file on the jenkins job.

I’m just wondering if there are restrictions on using the free Azure
instance for this kind of thing and how much bandwidth it will turn out to
be.  If I could find another server to store the MD5s on that would be
preferred.

Also, to be clear, this would not keep us from having to periodically
update the sdk-installer-config file like we do now.  The 4.13 and older
install scripts will always be looking there.  Changing the 4.14 install
script is a big change this late in the game.  Do folks really want to try
it?

-Alex

Re: [INSTALLER] can't we make MD5 checking optional

[OmPrakash Muppirala <bi...@gmail.com>]

On Dec 16, 2014 8:43 AM, "Alex Harui" <ah...@adobe.com> wrote:
>
> IMO, there are two issues:
>
> 1) Adobe keeps updating the downloads and we get out of sync and there are
> failures until we get synced up
> 2) Folks using the installer seem to get bad downloads more often than
> using Ant/Browser.
>
> For 1), I’ve been pondering having MD5 checker leave .md5 files on the CI
> server or somewhere that doesn’t require SVNPUBSUB and updating the
> installer scripts to fetch from there.  Not sure if there the bandwidth
> costs will be significant or not.  But then, if MD5 checker runs hourly
> (which it currently does) or even more frequently, we’ll only get out of
> sync for a little while.

+1
We could link directly to the generated md5 file on the jenkins job.

Thanks,
Om

>
> For 2), which I think was Mihai’s issue, we just get bad download too
> frequently.  If I had more time, I’d write some other downloader in
> Flash/AIR using Socket to see if it works better.

>
> -Alex
>
> On 12/16/14, 8:22 AM, "Tom Chiverton" <tc...@extravision.com> wrote:
>
> >The trouble being that sometimes the Apache mirrors are screwed, and the
> >only way to tell is to check the checksums (or explode when the files
> >are unpacked, if you get lucky).
> >
> >Tom
> >
> >On 16/12/14 16:10, Erik de Bruin wrote:
> >> Hi,
> >>
> >> Can't we make MD5 checking optional in the installer? Even downloads
> >> from Apache's website don't force you to check the MD5 sigs of a
> >> download, and it's causing all kinds of problems with downloads
> >> through the installer.
> >>
> >> EdB
> >>
> >>
> >>
> >
>

Re: [INSTALLER] can't we make MD5 checking optional

[Alex Harui <ah...@adobe.com>]

IMO, there are two issues:

1) Adobe keeps updating the downloads and we get out of sync and there are
failures until we get synced up
2) Folks using the installer seem to get bad downloads more often than
using Ant/Browser.

For 1), I’ve been pondering having MD5 checker leave .md5 files on the CI
server or somewhere that doesn’t require SVNPUBSUB and updating the
installer scripts to fetch from there.  Not sure if there the bandwidth
costs will be significant or not.  But then, if MD5 checker runs hourly
(which it currently does) or even more frequently, we’ll only get out of
sync for a little while.

For 2), which I think was Mihai’s issue, we just get bad download too
frequently.  If I had more time, I’d write some other downloader in
Flash/AIR using Socket to see if it works better.

-Alex

On 12/16/14, 8:22 AM, "Tom Chiverton" <tc...@extravision.com> wrote:

>The trouble being that sometimes the Apache mirrors are screwed, and the
>only way to tell is to check the checksums (or explode when the files
>are unpacked, if you get lucky).
>
>Tom
>
>On 16/12/14 16:10, Erik de Bruin wrote:
>> Hi,
>>
>> Can't we make MD5 checking optional in the installer? Even downloads
>> from Apache's website don't force you to check the MD5 sigs of a
>> download, and it's causing all kinds of problems with downloads
>> through the installer.
>>
>> EdB
>>
>>
>>
>

Re: [INSTALLER] can't we make MD5 checking optional

[Tom Chiverton <tc...@extravision.com>]

The trouble being that sometimes the Apache mirrors are screwed, and the 
only way to tell is to check the checksums (or explode when the files 
are unpacked, if you get lucky).

Tom

On 16/12/14 16:10, Erik de Bruin wrote:
> Hi,
>
> Can't we make MD5 checking optional in the installer? Even downloads
> from Apache's website don't force you to check the MD5 sigs of a
> download, and it's causing all kinds of problems with downloads
> through the installer.
>
> EdB
>
>
>