[Bug 57344] New: [PATCH] Provide sha1 checksum files for Tomcat downloads

Thu, 11 Dec 2014 16:40:28 -0800 

https://issues.apache.org/bugzilla/show_bug.cgi?id=57344

            Bug ID: 57344
           Summary: [PATCH] Provide sha1 checksum files for Tomcat
                    downloads
           Product: Tomcat 8
           Version: trunk
          Hardware: PC
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Packaging
          Assignee: dev@tomcat.apache.org
          Reporter: knst.koli...@gmail.com

I prepared a patch that adds *.sha1 files to Tomcat release besides the *.md5
ones.

Are there any objections?

Minor issue fixed by the way:
due to missing <exclude name="*.asc"> the apache-tomcat-8.0.15-embed.tar.gz
archive contains apache-tomcat-8.0.15-embed.zip.asc file that does not belong
there.


Is it worth to add sha2 (sha-512)? I have some questions:

My issues with sha-512:
=========================
1) Is it worth adding sha-512?
Generally users shall use PGP signatures for verification, not the checksums.

2) Not many ASF projects are providing sha2 checksums.
One that I know is Apache Ant,

http://ant.apache.org/bindownload.cgi

Looking at Apache Ant, I have several notes:

a) *.sha512 files are not copied to mirrors, so ASF mirror system knows how to
skip these files. (Good)

b) when I click on the link to a file, browser (Firefox 34) does not display
the file, but prompts to download it. (Unexpected)

Looking at response headers in Firefox, the server sends Content-Type:
application/zip for *.zip.sha512, application/x-gzip for *.tar.gz.sha512,
application/x-bzip2 for *.tar.bz2.

So the server is not configured for these files. It sends text/plain for *.sha1
files.


3) I do not have a command-line tool to automatically verify sha-512.

There exist sha512sum from GNU,
http://www.gnu.org/software/coreutils/manual/coreutils.html#sha2-utilities

but GnuWin32 CoreUtils do not have this tool.


4) What file format shall we use?

Apache Ant downloads are using  hashsum + LF.

We are using  hashsum + " *" + filename, which is the format supported by
md5sum and sha1sum GNU utilities.

`openssl dgst -sha512 filename` generates "SHA512(" + filename + ")= " +hashsum
+LF, but I think that openssl does not read this format.

I think it would better to print just the hashsum value, but I wonder if that
is supported by sha512sum tool.

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to