You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@maven.apache.org by "Mark R. Diggory" <md...@latte.harvard.edu> on 2004/02/11 22:33:19 UTC

Re: MD5 and Mirrors ( was Re: MD5 Hash )

Well, after my own little survey, I've determined the following:

md5 on BSD (Apache Minotaur):

mdiggory@minotaur:/home/mdiggory> md5 foo.bar
MD5 (foo.bar) = 7f5e787ff3b930d906d01243ccf7c237

md5 has no built in option to compare the file to the checksum and 
return true/false.

Output of md5sum (GNU textutils) on Redhat:
mdiggory@osprey:/home/mdiggory> md5sum foo.bar
7f5e787ff3b930d906d01243ccf7c237 foo.bar

md5sum has a built in option which compares the md5 from the signature 
against the original file.

[mdiggory@osprey mdiggory]$ md5sum -c foo.bar.md5
foo.bar: OK


Output of Maven when publishing to repository is the md5 string minus 
the filename and is dependent on GNU md5sum.

*example snippet of the command as its run in jelly*
     <repository:exec>
       cd ${directory};
       md5sum ${artifactName} | sed 's/ .*$//' | tee ${artifactName}.md5;
       chgrp ${maven.repository.group} *;
       chmod g+w,a+r *;
     </repository:exec>

results in the string with no filename on ibiblio, and actually fails on 
minotaur as its BSD and the executable is not present.

What is the right/wrong way is not really a reasonable question to ask.

How to appropriately deal with the variants in both md5/md5sum ... 
generation and file structure specifically in relation to the repository 
are the important questions to throw around.


My opinions are the following:

Server side OS dependent tools are usually accessed in scripts (say, in 
a cron script which does checking and reports errors). These scripts 
will always be unique to an OS, It'll often be the case that they are 
custom for that particular need. the author usually writes their own 
string parsing routines (ie: md5sum foo.bar | sed 's/ .*$//').

A client side tool needs a simple and standard means of validating the 
content they are about to download or upload onto a server. If the 
repository structure already enforces the name of the md5 sum in 
relation to the file name, any internal naming done inside the md5 file 
is redundant. It would be good to just have the file contain the 
checksum which reduces parsing requirements on both the server and the 
client..

Client tools should be robust enough (or extensible enough) to generate 
the appropriate md5 sum for a particular artifact and to easily find and 
read/compare it to the content on the server.


-Mark

Markus M. May wrote:

> Hello Mark,
> 
> this is probably my fault. I checked this whole stuff with a very old 
> maven.md5-file. The format is now equal between the two projects.
> 
> Sorry for the confusion.
> 
> Markus
> 
> 

-- 
Mark Diggory
Software Developer
Harvard MIT Data Center
http://www.hmdc.harvard.edu

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@maven.apache.org
For additional commands, e-mail: users-help@maven.apache.org