MD5/SHA1 links - make sure they are removed in component source!

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

MD5/SHA1 links - make sure they are removed in component source!

sebb-2-2
DIGESTER-191 - md5 checksum: 404 Not Found
noted that the hash download links did not work.

It transpired that many of the commons download pages still linked to
the SHA1/MD5 hashes, even if these had been replaced on the download
site.

I think I have now fixed all the links - and dropped old md5/sha1
hashes that were not needed.

I did this by editting the SVN production website files to avoid
having to regenerate all the sites.
However I have not fixed all the source files, so please check that
the correct hashes are being generated and linked when republishing.

Thanks!
S

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MD5/SHA1 links - make sure they are removed in component source!

Bernd Eckenfels
Is that change done here?

https://svn.apache.org/repos/infra/websites/production/commons/content/proper/

Is there a Svn Web view where we can see the commit and check out what files have been changed? Maybe we can also reduce the number of download links to mainly the mirror scripts?

Gruss
Bernd

Gruss
Bernd
--
http://bernd.eckenfels.net

________________________________
Von: sebb <[hidden email]>
Gesendet: Dienstag, März 12, 2019 9:56 AM
An: CommonsDev
Betreff: MD5/SHA1 links - make sure they are removed in component source!

DIGESTER-191 - md5 checksum: 404 Not Found
noted that the hash download links did not work.

It transpired that many of the commons download pages still linked to
the SHA1/MD5 hashes, even if these had been replaced on the download
site.

I think I have now fixed all the links - and dropped old md5/sha1
hashes that were not needed.

I did this by editting the SVN production website files to avoid
having to regenerate all the sites.
However I have not fixed all the source files, so please check that
the correct hashes are being generated and linked when republishing.

Thanks!
S

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MD5/SHA1 links - make sure they are removed in component source!

sebb-2-2
On Tue, 12 Mar 2019 at 09:11, Bernd Eckenfels <[hidden email]> wrote:
>
> Is that change done here?
>
> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/

Yes, I have a local checkout of the top two levels (only) which makes
this very easy.

> Is there a Svn Web view where we can see the commit and check out what files have been changed?

The changes were all sent to the [hidden email] list.

I don't know if there is a web view.

> Maybe we can also reduce the number of download links to mainly the mirror scripts?

If you are talking about dropping the links to KEYS, hashes and sigs,
they are required
https://www.apache.org/dev/release-distribution#download-links

It must be easy for downloaders to fetch these files for verification purposes.

> Gruss
> Bernd
>
> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
>
> ________________________________
> Von: sebb <[hidden email]>
> Gesendet: Dienstag, März 12, 2019 9:56 AM
> An: CommonsDev
> Betreff: MD5/SHA1 links - make sure they are removed in component source!
>
> DIGESTER-191 - md5 checksum: 404 Not Found
> noted that the hash download links did not work.
>
> It transpired that many of the commons download pages still linked to
> the SHA1/MD5 hashes, even if these had been replaced on the download
> site.
>
> I think I have now fixed all the links - and dropped old md5/sha1
> hashes that were not needed.
>
> I did this by editting the SVN production website files to avoid
> having to regenerate all the sites.
> However I have not fixed all the source files, so please check that
> the correct hashes are being generated and linked when republishing.
>
> Thanks!
> S
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MD5/SHA1 links - make sure they are removed in component source!

Bernd Eckenfels
Hello,

I was only looking on the commit mailing list, found it on notify, thanks.

You did not explicitely mention it, but it looks like you only had to change download pages, so my comment about removing the links anywhere else is I guess moot.

BTW the (Imaging] Download (still) points to incubator, are we planning to change this?

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: sebb <[hidden email]>
Gesendet: Dienstag, März 12, 2019 10:37 AM
An: Commons Developers List
Betreff: Re: MD5/SHA1 links - make sure they are removed in component source!

On Tue, 12 Mar 2019 at 09:11, Bernd Eckenfels <[hidden email]> wrote:
>
> Is that change done here?
>
> https://svn.apache.org/repos/infra/websites/production/commons/content/proper/

Yes, I have a local checkout of the top two levels (only) which makes
this very easy.

> Is there a Svn Web view where we can see the commit and check out what files have been changed?

The changes were all sent to the [hidden email] list.

I don't know if there is a web view.

> Maybe we can also reduce the number of download links to mainly the mirror scripts?

If you are talking about dropping the links to KEYS, hashes and sigs,
they are required
https://www.apache.org/dev/release-distribution#download-links

It must be easy for downloaders to fetch these files for verification purposes.
Reply | Threaded
Open this post in threaded view
|

Re: MD5/SHA1 links - make sure they are removed in component source!

sebb-2-2
On Tue, 12 Mar 2019 at 09:52, Bernd Eckenfels <[hidden email]> wrote:
>
> Hello,
>
> I was only looking on the commit mailing list, found it on notify, thanks.
>
> You did not explicitely mention it, but it looks like you only had to change download pages, so my comment about removing the links anywhere else is I guess moot.
>
> BTW the (Imaging] Download (still) points to incubator, are we planning to change this?

Please start a new thread for a new issue, thanks!

> Gruss
> Bernd
> --
> http://bernd.eckenfels.net
> ________________________________
> Von: sebb <[hidden email]>
> Gesendet: Dienstag, März 12, 2019 10:37 AM
> An: Commons Developers List
> Betreff: Re: MD5/SHA1 links - make sure they are removed in component source!
>
> On Tue, 12 Mar 2019 at 09:11, Bernd Eckenfels <[hidden email]> wrote:
> >
> > Is that change done here?
> >
> > https://svn.apache.org/repos/infra/websites/production/commons/content/proper/
>
> Yes, I have a local checkout of the top two levels (only) which makes
> this very easy.
>
> > Is there a Svn Web view where we can see the commit and check out what files have been changed?
>
> The changes were all sent to the [hidden email] list.
>
> I don't know if there is a web view.
>
> > Maybe we can also reduce the number of download links to mainly the mirror scripts?
>
> If you are talking about dropping the links to KEYS, hashes and sigs,
> they are required
> https://www.apache.org/dev/release-distribution#download-links
>
> It must be easy for downloaders to fetch these files for verification purposes.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: MD5/SHA1 links - make sure they are removed in component source!

Bernd Eckenfels
Hello,

Sebb:
>> BTW the (Imaging] Download (still) points to incubator
>Please start a new thread for a new issue, thanks!

I noticed this seems to be expected as [Imaging] does Mention it on the site. So I dont pursue this part further.

However while  trying to fix some site typos I also tried to recreate the download page and I noticed something strange:

[Imaging] uses parent 47 (build-plugin 1.9), but when I run* the download-page goal  it generated download_imaging with  SHA1-links.

When I look into the source of the download-page:1.9 it seems to default to SHA512 and in the effective pomI dont see Commons.release.hash beeing overwritten.

How is it actually configured to use sha256 in the download-page plugin?

I even tried -Dcommons.release.hash=sha256, but that had no effect, presumeable because the Mojo does not define it as property?

Anyway, I manually  fixed the xdoc with sha256 and fixed a gitbox link.

Gruss
Bernd