You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openoffice.apache.org by Brian Barker <b....@btinternet.com> on 2016/11/24 21:25:09 UTC
Hash values of downloaded files
I've been hearing from a intending user of OpenOffice who was
repeatedly finding the hashes on his downloads did not match. He (I
think he was a "he") had repeatedly downloaded form different mirrors
but could not get a match. He even, he says, tried other versions and
other operating systems. Clearly there was something wrong at his
end. Can you guess yet?
He solved the problem by himself. Instead of comparing the hash
derived from the downloaded file with the *content* of the
corresponding hash file, he had been seeking a match with the hash
derived from that hash file. Now you and I might find that an
unlikely course of action, but how is someone taking it to realise his mistake?
I've been looking at
http://www.openoffice.org/download/checksums.html . It gives
instructions such as "If both hash values do not match" and "When
both hash values match", though it does also say "Paste the hash from
the SHA256 / MD5 file you have downloaded. First you have to open it
and copy the hash value" and "Now compare the hash generated by
OpenSSL with the value in the file".
For the benefit of naive users - who may well not have been
encouraged to use such techniques before - are there enough clues on
this web page to assist anyone making this error?
Brian Barker
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Marcus <ma...@wtnet.de>.
Am 11/26/2016 01:22 PM, schrieb Brian Barker:
> At 22:44 24/11/2016 +0100, Marcus Noname wrote:
>> Am 11/24/2016 10:25 PM, schrieb Brian Barker:
>>> I've been hearing from a intending user of OpenOffice who was
>>> repeatedly finding the hashes on his downloads did not match. He (I
>>> think he was a "he") had repeatedly downloaded form different mirrors
>>> but could not get a match. He even, he says, tried other versions and
>>> other operating systems. Clearly there was something wrong at his
>>> end. Can you guess yet?
>>
>> as you don't write from where he has done the downloads, this could be
>> a source of error.
>
> Thanks for this.
>
> That was the first thing I checked, of course - and yes, he was using
> the official site.
>
>> 1. Download OpenOffice from here [1].
>
> Er, where? No footnote! But that's not the problem ...
sorry, I wanted to add the
"http://www.openoffice.org/download/index.html" webpage.
> [your long explanation]
... or in shorter words.
He has generated the hash value of the downloaded installation file
*and* of the hash file (*.md5 or *.sha256 file extension) itself. And
then finally compared both with each other. OK, this indeed doesn't work.
Unfortunately, you missed to tell us the user's operating system and how
he has generated the has value. So, I assume he is working on Windows
and has used a tool. Then you can find the following paragraph on the
instructions webpage
"http://www.openoffice.org/download/checksums.html#hash_win". Point #4
says to open the hash file to get the value. For me that is pretty
clear. But I'm not a native speaker, so maybe there is room for
misunderstanding.
Or do you mean another section of the instruction webpage? Then please
tell us.
PS:
Please don't take it personally. However, I haven't heard ever about
doing the hash comparison this way. And when I look *into* the *.md5 or
*.sha256 hash file I would see that this is the value that I need to
compare with the generated one.
Thanks
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Brian Barker <b....@btinternet.com>.
At 22:44 24/11/2016 +0100, Marcus Noname wrote:
>Am 11/24/2016 10:25 PM, schrieb Brian Barker:
>>I've been hearing from a intending user of OpenOffice who was
>>repeatedly finding the hashes on his downloads did not match. He (I
>>think he was a "he") had repeatedly downloaded form different
>>mirrors but could not get a match. He even, he says, tried other
>>versions and other operating systems. Clearly there was something
>>wrong at his end. Can you guess yet?
>
>as you don't write from where he has done the downloads, this could
>be a source of error.
Thanks for this.
That was the first thing I checked, of course - and yes, he was using
the official site.
>1. Download OpenOffice from here [1].
Er, where? No footnote! But that's not the problem ...
>2. Download the hash file from the same webpage ...
Now you are teaching me how to do this, so let's be clear. You know
what to do. I know what to do. Even the naive user now knows what to
do. Originally he made a mistake, but he eventually realised what he
had done. I understand the mistake and why he made it. You don't
(yet) understand what he did or why the web site instructions are
perhaps not clear enough to prevent this mistake by users. I'm hoping
I can get you (or whoever) to understand this and perhaps improve the web site.
>Sorry, I don't understand what he has done. Comparing the file with itself?
No, of course not. I think that the fact that you found my
description (which I've re-read and I'm sure is clear) didn't lead
you immediately to an appreciation of the problem only goes to show
how the necessary wording can be confusing. That's my point.
Incidentally, did no-one else want understand my point?
Let's look at your description instead of at the web site. At point
3, you say to "generate the hash value from the downloaded OpenOffice
file". At point 4, you say to "[c]ompare it with the value of the
downloaded hash file". There are two tiny words there that differ
between the instructions: you mean something very different by a
value *from* a file and a value *of* a file. In the first case you
mean a value derived from a file by processing it through a program;
in the second you mean to refer to a value stored in a file. Can you
see that a user might easily miss that very important distinction?
As I explained, the user quite properly derived the hash value of the
installation file. He then - understandably but wrongly - performed
the same process to derive the hash value *of* the hash file -
instead of inspecting the value provided in that file. Not
surprisingly, these values never matched, whatever version he tried
or mirror source he used.
You and I will think that this misunderstanding is unlikely, but that
is because we already understand how hashes are used to confirm the
integrity of files in this way. As I mentioned, the web site - at
http://www.openoffice.org/download/checksums.html - uses expressions
such as "If both hash values do not match" and "When both hash values
match", and the use of the word "match" is asking the users to seek
similarity. The values to be compared are not "hash values" in the
same way. It is surely not surprising that this user therefore
believed hat he was being asked to do similar things with both files?
In any case, whatever you and I think, that is what he did. I'm
suggesting that we should believe the evidence.
>If there are any mistakes or room for improvements, then please tell us.
I thought I had.
The web page separately sets out instructions for different methods
of deriving the hash value. In the couple of lines at the top, there
is only one sentence explaining the purpose. There is simply no
statement that the hash file already contains the *answer* that
should match what is derived from the file being checked. The later
use of expressions such as "both hash values do not match" and "both
hash values match" gives a strong impression that we are comparing
like with like. There are two hash values, we are being told, which
should match. It's not surprising that a user expects to derive two
hash values in the same way. It would be better not to call both
values "hash values" but to distinguish between the hash value
(derived form the file being checked) with the "comparison value" or
"check value" or "correct result" or whatever contained in (and not
derived from) the hash value file.
Brian Barker
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Andrea Pescetti <pe...@apache.org>.
Marcus wrote:
> @Andrea:
> I don't know where to find this text part. Have you found it in the
> meantime?
Ah, I see now. Brian's example of an ambiguous sentence was from your
mail (where you repeated the process using your own words), not from the
website. Well, at this point I think we'll have to wait for Brian to
give specific suggestions on how to reword
http://www.openoffice.org/download/checksums.html then.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Marcus <ma...@wtnet.de>.
Am 11/27/2016 04:22 PM, schrieb Andrea Pescetti:
> Patricia Shanahan wrote:
>> Can you suggest an alternative wording that would be clearer?
>
> I think we could change the problematic wording reported by Brian
>
> "[c]ompare it with the value of the downloaded hash file"
>
> into
>
> "[c]ompare it with the content of the downloaded hash file"
>
> I also suspect that the fact that *.md5 files cannot be opened in a
> straightforward way in Windows contributes to the confusion, since the
> user can't immediately see that the .md5 file is just one line of text
> with information.
@Andrea:
I don't know where to find this text part. Have you found it in the
meantime?
Thanks
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Andrea Pescetti <pe...@apache.org>.
Patricia Shanahan wrote:
> Can you suggest an alternative wording that would be clearer?
I think we could change the problematic wording reported by Brian
"[c]ompare it with the value of the downloaded hash file"
into
"[c]ompare it with the content of the downloaded hash file"
I also suspect that the fact that *.md5 files cannot be opened in a
straightforward way in Windows contributes to the confusion, since the
user can't immediately see that the .md5 file is just one line of text
with information.
Regards,
Andrea.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Patricia Shanahan <pa...@acm.org>.
On 11/26/2016 4:22 AM, Brian Barker wrote:
...
> As I explained, the user quite properly derived the hash value of the
> installation file. He then - understandably but wrongly - performed the
> same process to derive the hash value *of* the hash file - instead of
> inspecting the value provided in that file. Not surprisingly, these
> values never matched, whatever version he tried or mirror source he used.
>
> You and I will think that this misunderstanding is unlikely, but that is
> because we already understand how hashes are used to confirm the
> integrity of files in this way. As I mentioned, the web site - at
> http://www.openoffice.org/download/checksums.html - uses expressions
> such as "If both hash values do not match" and "When both hash values
> match", and the use of the word "match" is asking the users to seek
> similarity. The values to be compared are not "hash values" in the same
> way. It is surely not surprising that this user therefore believed hat
> he was being asked to do similar things with both files? In any case,
> whatever you and I think, that is what he did. I'm suggesting that we
> should believe the evidence.
Can you suggest an alternative wording that would be clearer?
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org
Re: Hash values of downloaded files
Posted by Marcus <ma...@wtnet.de>.
Am 11/24/2016 10:25 PM, schrieb Brian Barker:
> I've been hearing from a intending user of OpenOffice who was repeatedly
> finding the hashes on his downloads did not match. He (I think he was a
> "he") had repeatedly downloaded form different mirrors but could not get
> a match. He even, he says, tried other versions and other operating
> systems. Clearly there was something wrong at his end. Can you guess yet?
as you don't write from where he has done the downloads, this could be a
source of error.
1. Download OpenOffice from here [1].
2. Download te hash file from the same webpage (the links for the hash
files (MD5 and SHA256) are in the light green box).
3. After the download is complete, generate the hash value from the
downloaded OpenOffice file.
4. Compare it with the value of the downloaded hash file.
When the download was complete, not interrupted etc. then both hash
values are the same.
> He solved the problem by himself. Instead of comparing the hash derived
> from the downloaded file with the *content* of the corresponding hash
> file, he had been seeking a match with the hash derived from that hash
> file. Now you and I might find that an unlikely course of action, but
> how is someone taking it to realise his mistake?
Sorry, I don't understand what he has done. Comparing the file with itself?
> I've been looking at http://www.openoffice.org/download/checksums.html .
> It gives instructions such as "If both hash values do not match" and
> "When both hash values match", though it does also say "Paste the hash
> from the SHA256 / MD5 file you have downloaded. First you have to open
> it and copy the hash value" and "Now compare the hash generated by
> OpenSSL with the value in the file".
>
> For the benefit of naive users - who may well not have been encouraged
> to use such techniques before - are there enough clues on this web page
> to assist anyone making this error?
If there are any mistakes or room for improvements, then please tell us.
Thanks
Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@openoffice.apache.org
For additional commands, e-mail: dev-help@openoffice.apache.org