sebb wrote: > [Eventually found the KEYS file in SVN, but it might be helpful to > provide a pointer in the vote mails]
Good point, will do next time. [...] > > There are some problems with the MD5 and SHA1 files. > > For example, uimaj-2.2.1-incubating-bin.tar.bz2.md5: > > ================ > uimaj-2.2.1-incubating-bin.tar.bz2: 53 20 6A FB 75 1F 07 9D BB 12 82 58 D0 7D > CA 4B > ================ > > The hash is spread over two lines and into hex pairs. The normal > format is either: > 53206afb751f079dbb128258d07dca4b > or > 53206afb751f079dbb128258d07dca4b *uimaj-2.2.1-incubating-bin.tar.bz2 > > The SHA1 checksums have the same problem. > > The PGP signatures are OK, however the format of the existing MD5/SHA1 > files means that most (all?) checking programs will have difficulty > verifying the checksums. We generate the checksums with gpg --print-md MD5 [fileName] > [fileName].md5 and gpg --print-md SHA1 [fileName] > [fileName].sha respectively (as described in the release signing FAQ; however, I suggested that text ;-). The advantage of using gpg is that you just need one tool for the various signatures. If there are alternatives, we'll be happy to entertain them (we use maven as our build env). Can you elaborate on what checking programs are commonly used? It was my understanding that the primary signing mechanisms were the PGP signatures, and the checksums were just for quick sanity checks (visual verification, as they are so short). Thanks. --Thilo --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
