29 Jul
2020
29 Jul
'20
11:04 a.m.
Hello,
being discussed during the last devel meetings, I published the md5,
sha1 and sha256 hash values for the tarballs with sources and i386
binaries we make available for download on kamailio.org on each release
-- e.g., for 5.4.0:
* https://www.kamailio.org/pub/kamailio/5.4.0/src/
* https://www.kamailio.org/pub/kamailio/5.4.0/bin/
Before making a more official announcement about it and adding to the
download/install docs, I want to discuss a little bit here and get to
the right solution to publish these hash values. For the moment I put
them in a single file, adding -checksums.txt to the tarball name,
listing inside all 3 hashes as computed by md5sum, sha1sum and sha256sum.
That because I couldn't decide alone if there is sort of a standard on
how to do it.
Couple of projects I checked they just list the hash values on the html
page with the link to download file. Others have dedicated files per
hashing type, named like MD5SUMS, SHA1SUMS and SHA256SUMS, containing
hash values for all downloadable files in the folder.
Then, asterisk projects publishes 3 files,
asterisk-VERSION.{md5,sha1,sha256}, corresponding to the tar.gz file
they made available. Freeswitch publishes more than one archive file
type, so it makes available files like
freeswitch-VERSION.EXT.{md5,sha1,sha256}, where EXT can be tar.gz,
tar.xz, zip ...
My questions now. What kind of files with hash values people here are
used with? Any variants that tends to be (or become the standard)?
Any tools you are aware of for automatically checking the integrity with
one of these specific hash files (like, if I have the tarball and the
hashes file in the same folder and run it, it gives the ok/not-ok,
without me having to do md5/sha1/sha256 manually and check "by eye" the
values)?
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
29 Jul
29 Jul
11:13 a.m.
Hello Daniel,
good idea. If there is a standard on publishing this kind of hash values, I did not notice
it before.
Just one comment about the hash algorithms, if we introduce it now, we should not publish
MD5 and SHA1 values anymore. There are now practically broken (MD5 since several years,
SHA1 since 2019).
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
-----Original Message-----
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of Daniel-Constantin
Mierla
Sent: Wednesday, July 29, 2020 5:04 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: [SR-Users] publishing hash values for download files of releases
Hello,
being discussed during the last devel meetings, I published the md5,
sha1 and sha256 hash values for the tarballs with sources and i386 binaries we make
available for download on kamailio.org on each release
-- e.g., for 5.4.0:
* https://www.kamailio.org/pub/kamailio/5.4.0/src/
* https://www.kamailio.org/pub/kamailio/5.4.0/bin/
Before making a more official announcement about it and adding to the download/install
docs, I want to discuss a little bit here and get to the right solution to publish these
hash values. For the moment I put them in a single file, adding -checksums.txt to the
tarball name, listing inside all 3 hashes as computed by md5sum, sha1sum and sha256sum.
That because I couldn't decide alone if there is sort of a standard on how to do it.
Couple of projects I checked they just list the hash values on the html page with the link
to download file. Others have dedicated files per hashing type, named like MD5SUMS,
SHA1SUMS and SHA256SUMS, containing hash values for all downloadable files in the
folder.
Then, asterisk projects publishes 3 files, asterisk-VERSION.{md5,sha1,sha256},
corresponding to the tar.gz file they made available. Freeswitch publishes more than one
archive file type, so it makes available files like
freeswitch-VERSION.EXT.{md5,sha1,sha256}, where EXT can be tar.gz, tar.xz, zip ...
My questions now. What kind of files with hash values people here are used with? Any
variants that tends to be (or become the standard)?
Any tools you are aware of for automatically checking the integrity with one of these
specific hash files (like, if I have the tarball and the hashes file in the same folder
and run it, it gives the ok/not-ok, without me having to do md5/sha1/sha256 manually and
check "by eye" the values)?
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda --
www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
30 Jul
30 Jul
2:21 a.m.
Hello,
On 29.07.20 17:13, Henning Westerholt wrote:
Hello Daniel,
good idea. If there is a standard on publishing this kind of hash values, I did not
notice it before.
Just one comment about the hash algorithms, if we introduce it now, we should not publish
MD5 and SHA1 values anymore. There are now practically broken (MD5 since several years,
SHA1 since 2019).
since many projects are still publishing md5 and sha1, I thought there
are tools that can check all three at once ... if not, we can skip
generating them.
Cheers,
Daniel
Cheers,
Henning
--
Henning Westerholt – https://skalatan.de/blog/
Kamailio services – https://gilawa.com
-----Original Message-----
From: sr-users <sr-users-bounces(a)lists.kamailio.org> On Behalf Of Daniel-Constantin
Mierla
Sent: Wednesday, July 29, 2020 5:04 PM
To: Kamailio (SER) - Users Mailing List <sr-users(a)lists.kamailio.org>
Subject: [SR-Users] publishing hash values for download files of releases
Hello,
being discussed during the last devel meetings, I published the md5,
sha1 and sha256 hash values for the tarballs with sources and i386 binaries we make
available for download on kamailio.org on each release
-- e.g., for 5.4.0:
* https://www.kamailio.org/pub/kamailio/5.4.0/src/
* https://www.kamailio.org/pub/kamailio/5.4.0/bin/
Before making a more official announcement about it and adding to the download/install
docs, I want to discuss a little bit here and get to the right solution to publish these
hash values. For the moment I put them in a single file, adding -checksums.txt to the
tarball name, listing inside all 3 hashes as computed by md5sum, sha1sum and sha256sum.
That because I couldn't decide alone if there is sort of a standard on how to do it.
Couple of projects I checked they just list the hash values on the html page with the
link to download file. Others have dedicated files per hashing type, named like MD5SUMS,
SHA1SUMS and SHA256SUMS, containing hash values for all downloadable files in the folder.
Then, asterisk projects publishes 3 files, asterisk-VERSION.{md5,sha1,sha256},
corresponding to the tar.gz file they made available. Freeswitch publishes more than one
archive file type, so it makes available files like
freeswitch-VERSION.EXT.{md5,sha1,sha256}, where EXT can be tar.gz, tar.xz, zip ...
My questions now. What kind of files with hash values people here are used with? Any
variants that tends to be (or become the standard)?
Any tools you are aware of for automatically checking the integrity with one of these
specific hash files (like, if I have the tarball and the hashes file in the same folder
and run it, it gives the ok/not-ok, without me having to do md5/sha1/sha256 manually and
check "by eye" the values)?
Cheers,
Daniel
--
Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda --
www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users(a)lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
1628
days inactive
1629
days old
2 comments
2 participants
participants (2)
-
Daniel-Constantin Mierla -
Henning Westerholt