On Thu, Sep 24, 2009 at 11:09 AM, Graham Leggett <[email protected]> wrote:
> Guenter Knauf wrote: > > >>>> Can you point out where this is documented? > >>> I'll try to dig that up. > >> If you can, please. > > I think what I meant were the pointers on the download side: > > http://httpd.apache.org/download.cgi > > see down last sentence - however its not explained how to check > > automatically; but I volunteer to add a section for this. > > The last sentence just says that md5 signatures are used, and suggests > software that might be used to verify md5 signatures, no mention is made > at all as to the format of the md5 files. > > As the roll.sh script is the current authoritative mechanism for how md5 > signatures are created, and roll.sh makes no guarantee as to the format > of the md5 file, all claims made to date that the signatures are in the > wrong format are therefore false. > Expectations of n users trump some the behavior of a helper script used by a few people, for our rather huge values of n. (And sure, roll.sh should get smarter.)
