You are viewing a plain text version of this content. The canonical link for it is here.
Posted to repository@apache.org by Nick Chalko <ni...@chalko.com> on 2004/07/15 22:59:31 UTC
Trusting md5
I just wanted to walk through the steps need to trust a md5 signature,
using mirrors.
Given a unified directory/ repository structure between mirrors and the
official source.
Here is what I think the steps are
1. User/tools visits the official repository for a resource, and gets
a list of mirrors.
2. User/tool browses and finds desired download from a mirror.
http://mirror.org/group/project/artifact.zip
3. User/tool downloads matching MD5 from https of official site.
say https:/repo.apache.org/group/project/artifact.zip.MD5
1. User/tool verifies the validity of the
https:/repo.apache.org certificate.
4. User/tool compares downloaded MD5 to generated md5 or downloaded
artifact.
1. If no match then delete downloaded file and report error.
Have I over looked anything ?
R,
Nick