incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thilo Goetz <>
Subject Re: [VOTE] Approve release Apache UIMA 2.2.1-incubating
Date Mon, 17 Dec 2007 09:36:41 GMT
sebb wrote:
> [Eventually found the KEYS file in SVN, but it might be helpful to
> provide a pointer in the vote mails]

Good point, will do next time.

> There are some problems with the MD5 and SHA1 files.
> For example, uimaj-2.2.1-incubating-bin.tar.bz2.md5:
> ================
> uimaj-2.2.1-incubating-bin.tar.bz2: 53 20 6A FB 75 1F 07 9D  BB 12 82 58 D0 7D
>                                     CA 4B
> ================
> The hash is spread over two lines and into hex pairs. The normal
> format is either:
> 53206afb751f079dbb128258d07dca4b
> or
> 53206afb751f079dbb128258d07dca4b *uimaj-2.2.1-incubating-bin.tar.bz2
> The SHA1 checksums have the same problem.
> The PGP signatures are OK, however the format of the existing MD5/SHA1
> files means that most (all?) checking programs will have difficulty
> verifying the checksums.

We generate the checksums with

gpg --print-md MD5 [fileName] > [fileName].md5


gpg --print-md SHA1 [fileName] > [fileName].sha

respectively (as described in the release signing FAQ; however,
I suggested that text ;-).  The advantage of using gpg is that
you just need one tool for the various signatures.  If there
are alternatives, we'll be happy to entertain them (we use maven
as our build env).

Can you elaborate on what checking programs are commonly used?
It was my understanding that the primary signing mechanisms were
the PGP signatures, and the checksums were just for quick sanity
checks (visual verification, as they are so short).  Thanks.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message