You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@helix.apache.org by "Sebb (JIRA)" <ji...@apache.org> on 2014/03/28 11:51:16 UTC

[jira] [Closed] (HELIX-421) Download page: confusion over sigs and hashes

     [ https://issues.apache.org/jira/browse/HELIX-421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sebb closed HELIX-421.
----------------------


Thanks very much for the very prompt response!

Page is much better.

> Download page: confusion over sigs and hashes
> ---------------------------------------------
>
>                 Key: HELIX-421
>                 URL: https://issues.apache.org/jira/browse/HELIX-421
>             Project: Apache Helix
>          Issue Type: Bug
>         Environment: http://helix.apache.org/0.6.3-docs/download.cgi
>            Reporter: Sebb
>            Assignee: Kanak Biscuitwala
>
> The download page conflates the signature and hash files.
> However these server different purposes, and it's best not to treat them as if they were the same.
> The asc file is a signature
> The md5 and sha1 files are hashes
> The page then says
> "We strongly recommend you verify the integrity of the downloaded files with both PGP and MD5."
> The check provided by the signature (.asc) file is much stronger than the one provided by either of the hashes. There is no point in checking both.
> Have a look at http://www.apache.org/dyn/closer.cgi#verify for how to phrase this.



--
This message was sent by Atlassian JIRA
(v6.2#6252)