You are viewing a plain text version of this content. The canonical link for it is here.

Posted to infrastructure-issues@apache.org by "Henk Penning (JIRA)" <ji...@apache.org> on 2015/01/01 11:32:13 UTC

[jira] [Commented] (INFRA-8959) dist mirrors undesirably include hashes

    [ https://issues.apache.org/jira/browse/INFRA-8959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14262525#comment-14262525 ] 

Henk Penning commented on INFRA-8959:
-------------------------------------

> "It is vital that hash, signature and KEYS files are only downloaded from ASF hosts [sic]

IMHO it is not "vital" ; it is just one more measure to avoid a trojan horse on a mirror.

Accumulo's solution to the problem (ACCUMULO-3457) is to rename
"MD5SUM" to "MD5SUM.md5" (to get it excluded in mirror downloads).
But the (apache.org) convention is that "XXXX.md5" contains the md5
checksum for file "XXXX" ; and now "accumulo/1.6.1/MD5SUM.md5"
-- does not contain 1 md5 checksum
-- "accumulo/1.6.1/MD5SUM" does not exist.
So, this is not the right solution ; please revert the renaming.

FYI, see http://people.apache.org/~henkp/checker/md5.html

Regarding excluding more patterns, first a question :
why is the (apache.org) convention of supplying separate XXXX.{md5,sha1,...) files
not convenient for 'accumulo' ?

[ I see qpid used 'SHA1SUM' in proton/0.7, but reverted to 'conventional' in proton/0.8']

Regards, Henk Penning

> dist mirrors undesirably include hashes
> ---------------------------------------
>
>                 Key: INFRA-8959
>                 URL: https://issues.apache.org/jira/browse/INFRA-8959
>             Project: Infrastructure
>          Issue Type: Wish
>          Components: Dists, Mirrors, SvnPubSub
>            Reporter: Christopher Tubbs
>
> According to http://www.apache.org/dev/release-publishing.html,
> "It is vital that hash, signature and KEYS files are only downloaded from ASF hosts. So the following files are excluded from synchronisation:
> .md5 .MD5 .sha1 .sha .sha256 .sha512 .asc .sig KEYS KEYS.txt
> Do not use any other file names for such files."
> The Accumulo project inadvertently used a different naming convention (SHA1SUM and MD5SUM). See ACCUMULO-3457.
> Since these filenames are not unusual, it is requested that the following case-insensitive pattern also be excluded:
> (sha\d*|md5?)sums?([.]txt)?



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)