headers
Robert Voelkerding | 1 May 2005 20:02
Picon
Favicon

Verifying Downloads

Please direct me to an explanation of how to use MDE and/or PGP keys to verify downloads.

Thank you.
Permalink | Reply | 5 comments |
headers
Henri Yandell | 1 May 2005 20:59

Re: Verifying Downloads


That would be a good link to have on the download pages wouldn't it :)

Googling, I get:

http://www.hybridized.org/forum/viewtopic.php?t=222

which contains nice links to Windows programs. Verifying MD5 is easy on 
unix-based machines as it's the output of either the md5 or md5sum 
commands.

Closer to home Apache-wise, there's the HTTPD document on verifying the 
PGP keys.

http://httpd.apache.org/dev/verification.html

Hope that helps, and I'll add having a better answer on the site to the 
todo list.

Hen

On Sun, 1 May 2005, Robert Voelkerding wrote:

> Please direct me to an explanation of how to use MDE and/or PGP keys to verify downloads.
>
> Thank you.
>
Permalink | Reply | 2 comments |
headers
Phil Steitz | 1 May 2005 18:03

[site] Re: Verifying Downloads

Robert Voelkerding wrote:
> Please direct me to an explanation of how to use MDE and/or PGP keys to verify downloads.
> 
> Thank you.
> 
Robert,

The basic instructions are, e.g., here:
http://httpd.apache.org/download.cgi#verify

Make sure to download the KEYS file from the main apache distribution 
directory (URL starting with http://www.apache.org/dist).

Let us know if this info is not sufficient.

[site]
We should probably either
1) follow struts, ant, et al and make a copy of this to reference on
http://jakarta.apache.org/site/downloads/index.html; or
2) create a more complete page to put on the main apache site and have 
all the download pages link to it

preferences? volunteers?

Phil
Permalink | Reply | 0 comments |
headers
robert burrell donkin | 1 May 2005 21:13
Picon
Favicon
Gravatar

Re: Verifying Downloads

sadly, AFAIK this document does not exist as yet. (i have been intending
to create one for quite a long time.) 

please google for the theory behind these technologies but i'll try to
give a brief guide. 

md5 is a checksum. a checksum is a numeric hash of a file. the idea is
that two different files will have different checksums. you use a
secure, trusted channel to learn the checksum then use the same
algorithm to calculate the checksum for the file which has been obtained
from an untrusted channel. if the checksum calculated matches then you
can conclude that the file is identical to the one that the trusted
checksum was calculated from.

in ASF terms, downloading a file from a apache mirrored and an md5
checksum from an apache server and calculating the md5 sum for that file
should allow you to determine whether the file you downloaded from the
mirror is identical to the file that the sum placed on the apache server
was calculated from.

checking the md5 sum should be a good enough guarantee for the vast
majority of users. 

if you have more stringent requirements, you might also want to check
the openPGP compatible digital signature. this tells you something
different: which key was used to sign the release. if you have a public
key matching the private key used to sign the release then you can
verify the signature of the file. this tell you whether the file is
identical to the one used to create the signature. note that you can
only trust this method of verification as far as you can trust the
(Continue reading)

Permalink | Reply | 0 comments |
headers
robert burrell donkin | 1 May 2005 21:45
Picon
Favicon
Gravatar

Re: Verifying Downloads

On Sun, 2005-05-01 at 14:59 -0400, Henri Yandell wrote:
> That would be a good link to have on the download pages wouldn't it :)
> 
> Googling, I get:
> 
> http://www.hybridized.org/forum/viewtopic.php?t=222
> 
> which contains nice links to Windows programs. Verifying MD5 is easy on 
> unix-based machines as it's the output of either the md5 or md5sum 
> commands.
> 
> Closer to home Apache-wise, there's the HTTPD document on verifying the 
> PGP keys.
> 
> http://httpd.apache.org/dev/verification.html
> 
> Hope that helps, and I'll add having a better answer on the site to the 
> todo list.

the best place would probably be in the release FAQ over on the
foundation site. i've been meaning to add some information on this for a
while but haven't found the time as yet.

- robert
Permalink | Reply | 0 comments |
headers
J.Pietschmann | 2 May 2005 20:43
Picon
Favicon

Re: Verifying Downloads

Henri Yandell wrote:
> which contains nice links to Windows programs.

CygWin (http://www.cygwin.com) contains ports of all important
Unix command line programs, including gpg and multiple ways to
compute md5 (md5, md5sum, openssl md5, perl etc.). A must have.

J.Pietschmann
Permalink | Reply | 0 comments |
headers
Simon Kitching | 3 May 2005 05:43
Picon
Favicon

[Fwd: wiki administration: bang_meta]

I got no response to this on the PMC list.
Maybe someone here can help?

-------- Forwarded Message --------
> From: Simon Kitching <skitching <at> apache.org>
> Reply-To: skitching <at> apache.org
> To: pmc <at> jakarta.apache.org
> Subject: wiki administration: bang_meta
> Date: Fri, 29 Apr 2005 18:59:10 +1200
> Hi,
> 
> I have noticed that in the commons wikis, the syntax !SomeName could
> previously be used to suppress the default behaviour of turning such a
> string into a link. This behaviour appears to have been disabled.
> 
> Could we please turn this back on?
> 
>
Permalink | Reply | 0 comments |
headers
Apache Wiki | 3 May 2005 06:16
Picon
Favicon

[Jakarta Wiki] Update of "FrontPage" by SimonKitching

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jakarta Wiki" for change notification.

The following page has been changed by SimonKitching:
http://wiki.apache.org/jakarta/FrontPage

------------------------------------------------------------------------------
  ##language:en
  #pragma section-numbers off
  = Welcome to the Jakarta Wiki =
- || http://jakarta.apache.org/images/jakarta-community.png ||  This is the
[http://wiki.apache.org/general/ Apache Wiki] for the [http://jakarta.apache.org/ Jakarta]
community. To edit pages, visit UserPreferences at the top-right of any page to create a user profile or to
login. Notifications of all changes you make will be sent to the general <at> jakarta mailing list, so we will
be aware of your changes and we will happily correct any small mistakes that you might make. ||
+ || http://jakarta.apache.org/images/jakarta-community.png ||  This is the
[http://wiki.apache.org/general/ Apache Wiki] for the [http://jakarta.apache.org/ Jakarta]
community. To edit pages, visit [wiki:UserPreferences login] near the top right corner of any page to
create a user profile or to login. Notifications of all changes you make will be sent to the
general <at> jakarta mailing list, so we will be aware of your changes and we will happily correct any small
mistakes that you might make. ||

- The Jakarta project exists to provide server-side solutions using the Java language. 
+ The Jakarta project is a collection of sub-projects that provide server-side solutions using the Java language.
+ The Apache Software Foundation also hosts projects written in Java which are not managed as part of the
Jakarta project; 
+ see the list of top-level projects at [http://www.apache.org the main apache website] and
[http://wiki.apache.org the main Apache Wiki] for information on these.
+
(Continue reading)

Permalink | Reply | 0 comments |
headers
Simon Kitching | 3 May 2005 06:54
Picon
Favicon

InterWiki links

Hi,

Jakarta-commons had this link:
  [wiki:Jakarta/FrontPage]
which presumably used to link to
  http://wiki.apache.org/jakarta/FrontPage

But it was just linking to
  http://wiki.apache.org/jakarta-commons/InterWiki
which is of no use at all.

I have fixed the jakarta-commons page by using a direct link,
but don't know if this syntax is being used elsewhere...

Regards,

Simon
Permalink | Reply | 0 comments |
headers
Apache Wiki | 3 May 2005 11:30
Picon
Favicon

[Jakarta Wiki] Update of "technorati" by technorati

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Jakarta Wiki" for change notification.

The following page has been changed by technorati:
http://wiki.apache.org/jakarta/technorati

New page:
Hi there!

I'm a Java developer currently working on J2EE related projects. We use struts, hivemind, and tomcat.
Permalink | Reply | 0 comments |

Gmane