[ https://issues.apache.org/jira/browse/HADOOP-9928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13941812#comment-13941812 ]
Gabriel Reid commented on HADOOP-9928: -------------------------------------- Just ran into this on another project. The creation of the mds file is documented in the [release instructions|http://wiki.apache.org/hadoop/HowToRelease], but by my read of the [ASF release signing documentation|http://www.apache.org/dev/release-signing.html#basic-facts], a file with suffix ".md5" must be present with each released artifact. I'm also definitely in favour of having easily-verifiable artifacts via md5sum, for as long as md5sums are considered a necessary release artifact. > provide md5, sha1 and .asc files, that are usable > ------------------------------------------------- > > Key: HADOOP-9928 > URL: https://issues.apache.org/jira/browse/HADOOP-9928 > Project: Hadoop Common > Issue Type: Bug > Affects Versions: 2.1.0-beta, 1.2.1 > Reporter: André Kelpe > Priority: Critical > > I am trying to verify the checksums of tarballs I downloaded and it seems > that the way, those are produced is all but useful. > Almost all other open source projects I know, create a .md5, .sha1 and .asc > files, that can easily be used with tools like md5sum, sha1sum or gpg. > The hadoop downloads provide an mds file, for which there seems to be no > documentation on how to use it. > Here are some challenges with that format: > 0. all sorts of checksums are in the same file > 1. The MD5 sum is all upper case (all of them are, to be precise) > 2. The MD5 sum contains whitespace > For the three above I came up with this interesting construct: > {code} > md5sum --check <(grep "MD5 = " some-file.mds | sed -e "s/MD5 = //g;s/ //g" | > awk -F: '{print tolower($2), "", $1}') > {code} > That would work, if there wouldn't be the next problem: > 3. The file format wraps lines around after 80 chars (see here for instance: > http://apache.openmirror.de/hadoop/core/beta/hadoop-2.1.0-beta-src.tar.gz.mds) > I really do not see, how this format is useful to anyone. > 4. Next to all of that, there are not gpg signatures. How can I verify that > the mirror, I downloaded the tarball from, was not compromised? > It would be very helpful, if you could provide checksums and signatures the > same way, that other projects use or at least explain how to use the mds > files with standard unix tools. -- This message was sent by Atlassian JIRA (v6.2#6252)