Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [cross-project-issues-dev] md5 checksums not matching on some eclipse.org downloads

I replaced one of the download zips (the existing one had missing content) and regenerated the digest.

Kenn

On Tue, Dec 21, 2010 at 11:01 AM, Jesse McConnell <jesse.mcconnell@xxxxxxxxx> wrote:
I am with Denis on this one and it would be good to find out what
caused this in the first place?  From a security standpoint this
shouldn't have had to be fixed and the fact that it was detected only
because it was stored in a cache somewhere is bothersome in its own
right...

cheers,
jesse

--
jesse mcconnell
jesse.mcconnell@xxxxxxxxx



On Thu, Dec 16, 2010 at 21:21, Denis Roy <denis.roy@xxxxxxxxxxx> wrote:
> Our servers cache the checksums for optimal performance.  Checksums are
> queued for computation after the first ever download of any given file.  I
> have cleared them for this file, waited a bit, and they were recreated.  The
> retrieved checksums are now correct.
>
> This means that, at some point, the file on disk was altered.
>
> Is this a glitch?  I don't know.  In a security mindset, I can see how this
> can be a feature.  In my unqualified opinion, once a file is on
> download.eclipse.org it should never be altered, but instead replaced with a
> new version.
>
> Denis
>
>
>
> On 16/12/2010 7:17 PM, Konstantin Komissarchik wrote:
>
> The build system we use for Sapphire verifies downloads of various
> dependencies by checking published md5 checksums. We’ve been having trouble
> today moving to Indigo M4 because for at least one of the files, eclipse.org
> download server is consistently reporting the wrong checksum.
>
>
>
> This is the file in question:
>
>
>
> http://www.eclipse.org/downloads/download.php?file=/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip
>
> Actual Checksum: 353f7c08746bcd6ab336c2ca9b3e7556
>
>
>
> This is the how we fetch the checksum:
>
>
>
> http://www.eclipse.org/downloads/sums.php?file=/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip&type=md5
>
> Retrieved Checksum: aca8645f904c11ee2ba4cfe84f5253c4
>
>
>
> Curiously, if I go to EMF download site directly and hit their link for md5
> checksum, I get the checksum that actually matches the downloaded file. Here
> is that URL:
>
>
>
> http://download.eclipse.org/modeling/emf/emf/downloads/drops/2.7.0/S201012150940/emf-xsd-Update-2.7.0M4a.zip.md5
>
>
>
> This appears to be a case of a glitch in eclipse.org infrastructure. Yes?
> Can this be fixed?
>
>
>
> - Konstantin
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
>
> _______________________________________________
> cross-project-issues-dev mailing list
> cross-project-issues-dev@xxxxxxxxxxx
> https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev
>
>
_______________________________________________
cross-project-issues-dev mailing list
cross-project-issues-dev@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/cross-project-issues-dev


Back to the top