You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@helix.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2014/03/28 01:41:15 UTC
[jira] [Created] (HELIX-421) Download page: confusion over sigs and
hashes
Sebb created HELIX-421:
--------------------------
Summary: Download page: confusion over sigs and hashes
Key: HELIX-421
URL: https://issues.apache.org/jira/browse/HELIX-421
Project: Apache Helix
Issue Type: Bug
Environment: http://helix.apache.org/0.6.3-docs/download.cgi
Reporter: Sebb
The download page conflates the signature and hash files.
However these server different purposes, and it's best not to treat them as if they were the same.
The asc file is a signature
The md5 and sha1 files are hashes
The page then says
"We strongly recommend you verify the integrity of the downloaded files with both PGP and MD5."
The check provided by the signature (.asc) file is much stronger than the one provided by either of the hashes. There is no point in checking both.
Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase this.
--
This message was sent by Atlassian JIRA
(v6.2#6252)