[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://bz.apache.org/bugzilla/show_bug.cgi?id=57344 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #8 from Konstantin Kolinko knst.koli...@gmail.com --- The patch applied to 6.0 in r1660738, will be in 6.0.44 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 --- Comment #7 from Konstantin Kolinko knst.koli...@gmail.com --- Created attachment 32287 -- https://issues.apache.org/bugzilla/attachment.cgi?id=32287action=edit 2014-12-14_tc6_57344_sha1.patch Patch for Tomcat 6. Add sha1 checksums. I am not backporting GPG signing. (In reply to Konstantin Kolinko from comment #6) A note on backporting to Tomcat 6: To avoid special-casing the extras, it is possible to implement signing differently from Tomcat 7: sign all files in one step. In Ant there exists apply/ task, that runs an external executable over a set of files. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344
--- Comment #4 from Konstantin Kolinko knst.koli...@gmail.com ---
No objections but what is the benefit?
My concern is that there have been actual malware that exploited weakness in
MD5 (Flame, as mentioned in Wikipedia article on MD5). As such I think that md5
is not enough to verify a file integrity.
https://en.wikipedia.org/wiki/MD5
Re sha2:
1. As above. What is the benefit.
I am neutral on sha2.
I just think that it is easier to add it now while this task is in our scope.
4. The same format as we do for sha1 unless there is a good reason not to.
Ack.
I am opting for {hash} *{filename} format then.
Apache Ant can be used to validate it, among other options.
Thank you for your review.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Component|Packaging |Native:Packaging Version|trunk |6.0.43 Product|Tomcat 8|Tomcat 6 --- Comment #5 from Konstantin Kolinko knst.koli...@gmail.com --- Fixed in Tomcat trunk, 8, 7 (r1645357, r1645360, r1645361) to be in 8.0.16, 7.0.58. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 --- Comment #6 from Konstantin Kolinko knst.koli...@gmail.com --- A note on backporting to Tomcat 6: 1) GPG support (target name=sign) does not exist in Tomcat 6. I think it makes sense to backport that as well. Revisions for this feature are r1231923, r1231947 and r1232368 (January 2012). 2) md5sum is calculated both in extras.xml and dist.xml -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 --- Comment #3 from Mark Thomas ma...@apache.org --- +0 to the patch. No objections but what is the benefit? Re sha2: 1. As above. What is the benefit. 2. I'm less concerned about what other ASF projects are doing and more concerned about what the benefit of is doing it is. 2b) I'll see if I can get that fixed. 3. I use cyohash. It doesn't support the exact formats but it is good enough for validating. 4. The same format as we do for sha1 unless there is a good reason not to. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 --- Comment #1 from Konstantin Kolinko knst.koli...@gmail.com --- Created attachment 32286 -- https://issues.apache.org/bugzilla/attachment.cgi?id=32286action=edit 2014-12-12_tc9_57344_sha1.patch -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 57344] [PATCH] Provide sha1 checksum files for Tomcat downloads
https://issues.apache.org/bugzilla/show_bug.cgi?id=57344 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added OS||All --- Comment #2 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Konstantin Kolinko from comment #0) 3) I do not have a command-line tool to automatically verify sha-512. There exist sha512sum from GNU, http://www.gnu.org/software/coreutils/manual/coreutils.html#sha2-utilities but GnuWin32 CoreUtils do not have this tool. The 'sha512sum' command exists on both Debian and Amazon Linux (CentOS/RHEL compatible), and so I would imagine it's available on most Linux distributions. Mac OS X has 'shasum -a 512' which mimics the behavior of GNU shaXsum (according to the man page). As we use Apache Ant for building, why not just use checksum? https://ant.apache.org/manual/Tasks/checksum.html It can be configured to use any of the proposed formats... 4) What file format shall we use? Apache Ant downloads are using hashsum + LF. We are using hashsum + * + filename, which is the format supported by md5sum and sha1sum GNU utilities. `openssl dgst -sha512 filename` generates SHA512( + filename + )= +hashsum +LF, but I think that openssl does not read this format. I think it would better to print just the hashsum value, but I wonder if that is supported by sha512sum tool. I don't believe shaXsum can do that. I can't get the Mac version to do it, either. If sed/awk/etc can be relied upon, we can always cobble-together whatever combination of strings we need to make the tools happy. In what environments do we think that checksums will be verified? Ant's checksum can verify a signature as well as generate one. Is Ant/JVM any more/less trustworthy than shaXsum/openssl? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
