Re: Checksum Format for .md5 and .sha1 Files
I'm -1 to making a new format, but ambivalent about changing it to match openssl standards --Brian (mobile) On Jan 2, 2009, at 5:31 AM, Benjamin Bentmann wrote: Hi, With regard to MINSTALL-47, I would like to discuss if we can/should change the format used for checksum files generated by Maven. Currently, Maven outputs the plain checksum as-is to the checksum file (cf. [1]), e.g. 1dbbdec30feca97198d5d7e96d42dc57 In the mentioned issue, it was requested to append the filename, separated by a space and asterisk, to the checksum: 1dbbdec30feca97198d5d7e96d42dc57 *maven-metadata.xml My naive assumption is that any decent checksum verification tool out there is able to strip extraneous characters from the checksum file if not processed. In contrast, guessing missing bits is usually harder for tools. So I believe changing the checksum format as requested would increase tool support. Maven itself can already process this checksum format (due to MNG-797) and an IT is online (for MNG-1349 which merely requires newer Maven versions for SHA-1 checksums in OpenSSL format). Technically, this change would affect the Maven Install Plugin and the DefaultWagonManager from maven-artifact-manager (aka maven- compat). WDYT? Benjamin [0] http://jira.codehaus.org/browse/MINSTALL-47 [1] http://repo1.maven.org/maven2/org/apache/maven/plugins/maven-metadata.xml.md5 - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Checksum Format for .md5 and .sha1 Files
Brian Fox wrote: I'm -1 to making a new format Just to make sure we all have the same understanding: The proposed format is not "new" as in "yet another checksum format". It's an already existing format used by the md5sum tool (compare the format attribute of Ant's checksum task [0]). Benjamin [0] http://ant.apache.org/manual/CoreTasks/checksum.html - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Checksum Format for .md5 and .sha1 Files
Not to mention, that there is already a lot of files generated by md5sum and sha1sum apps on central: http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.md5 http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.sha1 But in the above cases, the path is obviously misleading. ~t~ On Fri, Jan 2, 2009 at 5:36 PM, Benjamin Bentmann wrote: > Brian Fox wrote: > > I'm -1 to making a new format >> > > Just to make sure we all have the same understanding: The proposed format > is not "new" as in "yet another checksum format". It's an already existing > format used by the md5sum tool (compare the format attribute of Ant's > checksum task [0]). > > > Benjamin > > > [0] http://ant.apache.org/manual/CoreTasks/checksum.html > > > > - > To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org > For additional commands, e-mail: dev-h...@maven.apache.org > > -- Thanks, ~t~
Re: Checksum Format for .md5 and .sha1 Files
I remember that wagon, at least 1.0-beta-4, strips everything after " *" in the signature file including, so it should already be implemented on the reading side. Wagon team - please correct me if I am wrong - I did not check out the wagon source. So we'll have to add it to the writing side of wagon code and I'll add this to Mercury. Question is - should verification fail if file name does not match? In the light of the latest event - CCC generating MD5 collisions - it's kind of pointless. Overall - MD5 and SHA1 can only check for non-intentional data modifications, they don't address non-repudiation problems. And when was it last time you data was crippled during transfer? It does not happen any more.. That is why we should switch to PGP signatures as soon as possible - Mercury and Mercury Ant provide full support for that :) Thanks, Oleg Tamás Cservenák wrote: Not to mention, that there is already a lot of files generated by md5sum and sha1sum apps on central: http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.md5 http://repo2.maven.org/maven2/log4j/log4j/maven-metadata.xml.sha1 But in the above cases, the path is obviously misleading. ~t~ On Fri, Jan 2, 2009 at 5:36 PM, Benjamin Bentmann wrote: Brian Fox wrote: I'm -1 to making a new format Just to make sure we all have the same understanding: The proposed format is not "new" as in "yet another checksum format". It's an already existing format used by the md5sum tool (compare the format attribute of Ant's checksum task [0]). Benjamin [0] http://ant.apache.org/manual/CoreTasks/checksum.html - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
Re: Checksum Format for .md5 and .sha1 Files
Oleg Gusakov wrote: I remember that wagon, at least 1.0-beta-4, strips everything after " *" in the signature file including, so it should already be implemented on the reading side. Wagon team - please correct me if I am wrong - I did not check out the wagon source. The checksum verification actually happens in Maven itself, more precisely in DefaultWagonManager.verifyChecksum(), independently of the Wagon version. Most of this parsing code dates back to Maven 2.0-beta-1 (MNG-797). Benjamin - To unsubscribe, e-mail: dev-unsubscr...@maven.apache.org For additional commands, e-mail: dev-h...@maven.apache.org
