You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@helix.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2014/03/28 01:41:15 UTC

[jira] [Created] (HELIX-421) Download page: confusion over sigs and hashes

Sebb created HELIX-421:
--------------------------

             Summary: Download page: confusion over sigs and hashes
                 Key: HELIX-421
                 URL: https://issues.apache.org/jira/browse/HELIX-421
             Project: Apache Helix
          Issue Type: Bug
         Environment: http://helix.apache.org/0.6.3-docs/download.cgi
            Reporter: Sebb


The download page conflates the signature and hash files.
However these server different purposes, and it's best not to treat them as if they were the same.

The asc file is a signature
The md5 and sha1 files are hashes

The page then says

"We strongly recommend you verify the integrity of the downloaded files with both PGP and MD5."

The check provided by the signature (.asc) file is much stronger than the one provided by either of the hashes. There is no point in checking both.

Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)