[SR-Users] publishing hash values for download files of releases
Daniel-Constantin Mierla
miconda at gmail.com
Thu Jul 30 08:21:24 CEST 2020
Hello,
On 29.07.20 17:13, Henning Westerholt wrote:
> Hello Daniel,
>
> good idea. If there is a standard on publishing this kind of hash values, I did not notice it before.
>
> Just one comment about the hash algorithms, if we introduce it now, we should not publish MD5 and SHA1 values anymore. There are now practically broken (MD5 since several years, SHA1 since 2019).
since many projects are still publishing md5 and sha1, I thought there
are tools that can check all three at once ... if not, we can skip
generating them.
Cheers,
Daniel
>
> Cheers,
>
> Henning
>
> --
> Henning Westerholt – https://skalatan.de/blog/
> Kamailio services – https://gilawa.com
>
> -----Original Message-----
> From: sr-users <sr-users-bounces at lists.kamailio.org> On Behalf Of Daniel-Constantin Mierla
> Sent: Wednesday, July 29, 2020 5:04 PM
> To: Kamailio (SER) - Users Mailing List <sr-users at lists.kamailio.org>
> Subject: [SR-Users] publishing hash values for download files of releases
>
> Hello,
>
> being discussed during the last devel meetings, I published the md5,
> sha1 and sha256 hash values for the tarballs with sources and i386 binaries we make available for download on kamailio.org on each release
> -- e.g., for 5.4.0:
>
> * https://www.kamailio.org/pub/kamailio/5.4.0/src/
>
> * https://www.kamailio.org/pub/kamailio/5.4.0/bin/
>
> Before making a more official announcement about it and adding to the download/install docs, I want to discuss a little bit here and get to the right solution to publish these hash values. For the moment I put them in a single file, adding -checksums.txt to the tarball name, listing inside all 3 hashes as computed by md5sum, sha1sum and sha256sum.
>
> That because I couldn't decide alone if there is sort of a standard on how to do it.
>
> Couple of projects I checked they just list the hash values on the html page with the link to download file. Others have dedicated files per hashing type, named like MD5SUMS, SHA1SUMS and SHA256SUMS, containing hash values for all downloadable files in the folder.
>
> Then, asterisk projects publishes 3 files, asterisk-VERSION.{md5,sha1,sha256}, corresponding to the tar.gz file they made available. Freeswitch publishes more than one archive file type, so it makes available files like freeswitch-VERSION.EXT.{md5,sha1,sha256}, where EXT can be tar.gz, tar.xz, zip ...
>
> My questions now. What kind of files with hash values people here are used with? Any variants that tends to be (or become the standard)?
>
> Any tools you are aware of for automatically checking the integrity with one of these specific hash files (like, if I have the tarball and the hashes file in the same folder and run it, it gives the ok/not-ok, without me having to do md5/sha1/sha256 manually and check "by eye" the values)?
>
> Cheers,
> Daniel
>
> --
> Daniel-Constantin Mierla -- www.asipto.com www.twitter.com/miconda -- www.linkedin.com/in/miconda
> Funding: https://www.paypal.me/dcmierla
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Funding: https://www.paypal.me/dcmierla
More information about the sr-users
mailing list