Apache OpenOffice (AOO) Bugzilla – Issue 122905
Checksum page has several mistakes
Last modified: 2013-08-23 21:44:33 UTC
The page http://www.openoffice.org/download/checksums.html has the title: "How to verify downloads with checksum files?" This is not strictly correct; .asc files are not checksums, they are (detached) signatures. In fact nor are MD5 and SHA1 - they are hashes. It would be better to call the page "How to verify downloads" The page also says: gpg.exe --import openoffice.asc That is wrong; it is the KEYS file that needs to be imported. gpg.exe --verify <ASC file>.asc <AOO file>.exe is also wrong; gpg automatically strips the .asc to determine which file to check. It might be better to link to the ASF page at: http://www.apache.org/dyn/closer.cgi#verify
taking over
"marcus" committed SVN revision 1509433 #122905# Updated text
"marcus" committed SVN revision 1509437 #122905# Updated text
"marcus" committed SVN revision 1509443 #122905# Updated text
Thanks for looking at the text, I've fixed the mistakes.
Thanks, however there are still some problems: The following statement is not strictly true: "A hash value processed on the downloaded file is a way to make sure that the content is authentic and was not manipulated by an unauthorized third party" Hashes should only be used to check that a download has completed OK. They are not suitable for content authentication. The following sentence does not read well: >>When both signatures match it is indicated with an "Good signature from <Person who has created the signature> statement.<<. There is only one signature; "both" does not make sense here. It should probably read something like: >>If the signature matches the file this is show by the message "Good signature from <Person who has created the signature>."<< It is wrong to insist that Windows users download a specific hashing tool; there are lots of other tools that are suitable. "Please try again a download to get a valid file." - should read: "Please try the download again, and recheck. If the check still fails, try another browser if possible. Check also that the file size is correct." "Please consult the respective help " => "Please consult the relevant help " "Be aware that all mails do not go to a single person but a so-called mailing list." => "Please note that all mails go to a public mailing list, not an individual." It would be helpful if the following text were actually a link: http://www.apache.org/dist/openoffice/KEYS
"marcus" committed SVN revision 1509822 #122905# Improved wording, suggested by sebb
> It is wrong to insist that Windows users download a specific hashing tool; > there are lots of other tools that are suitable. Yes, and for Linux/Mac there might be also other tools. But I think it's better to give an example than just to point to Google for searching them. > "Please try again a download to get a valid file." - should read: > "Please try the download again, and recheck. If the check still fails, try > another browser if possible. Check also that the file size is correct." Checking the file size is indeed a good thing. However, we don't provide one yet (*), so this hint doesn't help and IMHO it's better not to mention this for now. > It would be helpful if the following text were actually a link: > > http://www.apache.org/dist/openoffice/KEYS Hm, must a relict from a former text. And I've no Windows. Linux, *and* Mac to check all instructions. ;-) So, thanks for finding the last bad parts and improving the English text. (*) It a todo to get this and offer to the user. Once it's existing, I'll update this text.
(In reply to Marcus from comment #8) > > It is wrong to insist that Windows users download a specific hashing tool; > > there are lots of other tools that are suitable. > > Yes, and for Linux/Mac there might be also other tools. But I think it's > better to give an example than just to point to Google for searching them. The ASF should not promote one tool over another, so at the very least the page should mention other tools. For example, some are mentioned on the main ASF page. There's also HashTab and lots of others. The way the page is worded, it seems like the user has to install a specific tool.
"marcus" committed SVN revision 1509910 #122905# Added tools as examples, to not prefer any specific one, suggested b...
I've added a list of tools and a message that we don't prefer any specific tool for every of the 3 verification methods. Does it fit?
Where is the page with the updates? AFAICT the public page still has all the problems.
It's not yet published but only in the staging area: http://ooo-site.staging.apache.org/download/checksums.html
It's a lot better, but there are still some minor issues. >>Open a terminal and change to the directory with the downloaded AOO, KEYS and PGP/ASC file.<< However the instructions then download the KEYS file. That's inconsistent. Same applies to Mac section. === The page is very long; I think you could combine the MD5/SHA256 sections, as the instructions are very similar. The page should also state that there is no need to check the hashes if the signature is valid. Also use the SHA256 hash in preference to MD5, but either will do to check if the download was corrupted. The user does not need to check both MD5 and SHA256. === Does the Mac not have sha256sum and md5sum? They are easier to use.
"marcus" committed SVN revision 1509988 #122905# Updated text, suggested by sebb
1) Inconsistency with the KEYS file. --> Fixed 2) The page is very long. Right, I've looked from the technical way and tried to make it complete. Of course, it can be combined when mentioning that it's very similar. I've also re-arranged the texts now in way that the Windows, Linux and Mac things are together. --> Fixed. 3) No need for all. SHA256 before MD5. --> I've added a text at the beginning below of the TOC. 4) Does the Mac not have sha256sum and md5sum? Mac OS seems to use different tools with different names. I've found this in the Apple support knowledge DB: http://support.apple.com/kb/HT1652 When they write to use "openssl", then IMHO it should be OK. --> I'll keep it as is it. Please check on the staging page: http://ooo-site.staging.apache.org/download/checksums.html
Getting better, but the sentences don't read well. >>There is no need to do all verifications. It is sufficient to verify the signature, SHA256 or MD5 hash. However, it is recommended to prefer the SHA256 method than MD5.<< Would be better as >>There is no need to do all the verifications. The best is to check the GPG signature (.ASC) file. Failing that, use the SHA256 hash, otherwise use the MD5 hash.<< === >>When both SHA256 / MD5 hash values match it is indicated with an "<AOO file>.tar.gz: OK" statement.<< would be better as: >>If the hash matches this is indicated by "<AOO file>.tar.gz: OK".<< === >>Now compare both SHA256 / MD5 hash values.<< should be >>Now compare the hash generated by Openssl with the value in the file<<
Thanks for the corrections. I've upated the text.
"marcus" committed SVN revision 1510782 #122905# Corrected English language, suggested by sebb