You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "M Sesterhenn (Jira)" <ji...@apache.org> on 2022/07/06 22:34:00 UTC
[jira] [Updated] (KAFKA-14052) Download verification directions are incorrect for linux
[ https://issues.apache.org/jira/browse/KAFKA-14052?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
M Sesterhenn updated KAFKA-14052:
---------------------------------
Description:
[https://www.apache.org/info/verification.html]
The above is linked to from the kafka download page ([https://kafka.apache.org/downloads]), and it contains incorrect instructions for verifying the release.
The .sha512 files for the downloads are all in this format:
{code:java}
kafka_2.13-3.2.0.tgz: 736A1298 23B058DC 10788D08 93BDE47B 6F39B9E4 972F9EAC 2D5C9E85 E51E4773 44C6F1E1 EBD126CE 34D5FD43 0EB07E55 FDD60D60 CB541F1D 48655C0E BC0A4778
{code}
These files cannot be used to easily verify the expected hash using the procedure described in the verification website. The website says to use:
{code:java}
sha512sum file {code}
...which doesn't do any hash comparison; it only tells you what the file's hash is, and it is up to the user to manually compare its output with the differently formatted output in the .sha512 file, which is error-prone and a chore.
Expected result:
I would expect to be able to do
{code:java}
sha512sum -c file{code}
...like any normal download.
If the format of the .sha512 files cannot be changed to be compatible with the linux shasum program, then please update the website to describe the proper way to compare hashes. The best way seems to be a script like this:
{code:java}
SHA=$(mktemp); gpg --print-md SHA512 $FILE > $SHA && diff $SHA $FILE.sha512 && echo "SHA checks out OK."
{code}
(where FILE is the downloaded tarball.)
I looked into providing a PR for the verification page, but that is an Apache-wide web page and probably is not publicly available.
was:
[https://www.apache.org/info/verification.html]
The above is linked to from the kafka download page ([https://kafka.apache.org/downloads]), and it contains incorrect instructions for verifying the release.
The .sha512 files for the downloads are all in this format:
{code:java}
kafka_2.13-3.2.0.tgz: 736A1298 23B058DC 10788D08 93BDE47B 6F39B9E4 972F9EAC 2D5C9E85 E51E4773 44C6F1E1 EBD126CE 34D5FD43 0EB07E55 FDD60D60 CB541F1D 48655C0E BC0A4778
{code}
These files cannot be used to easily verify the expected hash using the procedure described in the verification website. The website says to use:
{code:java}
sha512sum file {code}
...which doesn't do any hash comparison; it only tells you what the file's hash is, and it is up to the user to manually compare its output with the differently formatted output in the .sha512 file, which is error-prone and a chore.
Expected result:
I would expect to be able to do
{code:java}
sha512sum -c file{code}
...like any normal download.
If the format of the .sha512 files cannot be changed to be compatible with the linux shasum program, then please update the website to describe the proper way to compare hashes. The best way seems to be a script like this:
{code:java}
SHA=$(mktemp); gpg --print-md SHA512 $FILE > $SHA && diff $SHA $FILE.sha512 && echo "SHA checks out OK."
{code}
(where FILE is the downloaded tarball.)
I looked into providing a PR for the verification page, but that is an Apache-wide web page and probably is not publicly available.
> Download verification directions are incorrect for linux
> --------------------------------------------------------
>
> Key: KAFKA-14052
> URL: https://issues.apache.org/jira/browse/KAFKA-14052
> Project: Kafka
> Issue Type: Bug
> Components: documentation
> Environment: website
> Reporter: M Sesterhenn
> Priority: Major
>
> [https://www.apache.org/info/verification.html]
> The above is linked to from the kafka download page ([https://kafka.apache.org/downloads]), and it contains incorrect instructions for verifying the release.
> The .sha512 files for the downloads are all in this format:
> {code:java}
> kafka_2.13-3.2.0.tgz: 736A1298 23B058DC 10788D08 93BDE47B 6F39B9E4 972F9EAC 2D5C9E85 E51E4773 44C6F1E1 EBD126CE 34D5FD43 0EB07E55 FDD60D60 CB541F1D 48655C0E BC0A4778
> {code}
> These files cannot be used to easily verify the expected hash using the procedure described in the verification website. The website says to use:
> {code:java}
> sha512sum file {code}
> ...which doesn't do any hash comparison; it only tells you what the file's hash is, and it is up to the user to manually compare its output with the differently formatted output in the .sha512 file, which is error-prone and a chore.
> Expected result:
> I would expect to be able to do
> {code:java}
> sha512sum -c file{code}
> ...like any normal download.
> If the format of the .sha512 files cannot be changed to be compatible with the linux shasum program, then please update the website to describe the proper way to compare hashes. The best way seems to be a script like this:
> {code:java}
> SHA=$(mktemp); gpg --print-md SHA512 $FILE > $SHA && diff $SHA $FILE.sha512 && echo "SHA checks out OK."
> {code}
> (where FILE is the downloaded tarball.)
> I looked into providing a PR for the verification page, but that is an Apache-wide web page and probably is not publicly available.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)