hash-examples: Difference between revisions
m (→Proposal: change checksum to hash) |
(add Who else offers MD5/SHA-1 checksums with software) |
||
Line 8: | Line 8: | ||
== Real-World Examples == | == Real-World Examples == | ||
Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]). | Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see [http://www.openoffice.org/dev_docs/using_md5sums.html OpenOffice.org: Using MD5 sums]). | ||
== Who else offers MD5/SHA-1 checksums with software == | |||
*[http://httpd.apache.org/ Apache HTTP Server] in .md5 file from web. | |||
*[http://www.freebsd.org/ FreeBSD] on web and in CHECKSUM.MD5 and CHECKSUM.SHA256 files. | |||
*[http://www.gentoo.org/ Gentoo] as .md5 file on ftp. | |||
*[http://www.gnome.org/ GNOME] as MD5SUMS-for-gz and MD5SUMS-for-bz2 files on ftp. | |||
*[http://www.kde.org/ KDE] on web and on ftp as MD5SUMS file. | |||
*[http://www.mysql.com/ MySQL] on web. | |||
*[http://www.postgresql.org/ PostgreSQL] in a .md5 file. | |||
*[http://www.ubuntu.com/ Ubuntu] as MD5SUMS on ftp. | |||
=== Example #1: [http://download.openoffice.org/2.0.1/md5sums.html OpenOffice.org MD5 sums] === | === Example #1: [http://download.openoffice.org/2.0.1/md5sums.html OpenOffice.org MD5 sums] === | ||
<pre> | <pre> |
Revision as of 23:00, 6 February 2006
Hash Examples
A microformat for MD5 and SHA-1 hashes.
The Problem
Checksums (MD5 & SHA-1 hashes) are offered for files to prove they haven't been tampered with and to uniquely identify them. They are very useful, but they are not used as much as they could be. The current method involves a manual process of hashing the downloaded file (with programs that are not installed by default on all operating systems) and then comparing the value to the one listed. An easy and automatic way to use them would be preferrable to present methods.
Participants
- Ant Bryan
Real-World Examples
Currently, MD5 and SHA-1 checksums are either listed on a webpage or email (see Example #1) or stored in a separate file such as (filename.ext.md5 or filename.ext.sha1) (see Example #2). There is no standard or automatic way to use them. Verifying a file after you have the hash is not complex, but it is more than the average user is used to doing (see OpenOffice.org: Using MD5 sums).
Who else offers MD5/SHA-1 checksums with software
- Apache HTTP Server in .md5 file from web.
- FreeBSD on web and in CHECKSUM.MD5 and CHECKSUM.SHA256 files.
- Gentoo as .md5 file on ftp.
- GNOME as MD5SUMS-for-gz and MD5SUMS-for-bz2 files on ftp.
- KDE on web and on ftp as MD5SUMS file.
- MySQL on web.
- PostgreSQL in a .md5 file.
- Ubuntu as MD5SUMS on ftp.
Example #1: OpenOffice.org MD5 sums
English Application Binaries e0d123e5f316bef78bfdf5a008837577 OOo_2.0.1_LinuxIntel_install.tar.gz 35d91262b3c3ec8841b54169588c97f7 OOo_2.0.1_LinuxIntel_install_wJRE.tar.gz cc273fe9d442850fa18c31c88c823e07 OOo_2.0.1_SolarisSparc_install.tar.gz ff6626c69507a6f511cc398998905670 OOo_2.0.1_SolarisSparc_install_wJRE.tar.gz ce099d7e208dc921e259b48aadef36c1 OOo_2.0.1_Solarisx86_install.tar.gz 4fb319211b2e85cace04e8936100f024 OOo_2.0.1_Solarisx86_install_wJRE.tar.gz 66bd00e43ff8b932c14140472c4b8cc6 OOo_2.0.1_Win32Intel_install.exe 2d86c4246f3c0eb516628bf324d6b9a3 OOo_2.0.1_Win32Intel_install_wJRE.exe
Example #2: Knoppix MD5 and SHA-1 sums in separate files
KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.md5: 1188f67d48c9f11afb8572977ef74c5e *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso KNOPPIX_V4.0.2CD-2005-09-23-EN.iso.sha1: 56857cfc709d3996f057252c16ec4656f5292802 *KNOPPIX_V4.0.2CD-2005-09-23-EN.iso
Note: This directory also contains filename.ext.md5.asc and filename.ext.sha1.asc files containing the same checksums and PGP signatures in one file.
Existing Practices
As described above, I believe almost all solutions are manual (see OpenOffice.org: Using MD5 sums), an 8 step process on Windows and 3 steps on Linux. Link Fingerprints which are used by MD Hash Tool, a Firefox extension, is one exception. Here is a Link Fingerprint example:
http://example.org/OOo_2.0.1_LinuxIntel_install.tar.gz#!md5!e0d123e5f316bef78bfdf5a008837577
A Link Fingerprint begins with a traditional URL, then #!md5!, then the MD5 hash.
Brad Fitzpatrick also suggested referring to "files/patches/changesets" by their unique digest.
Proposal
A microformat for MD5 and SHA-1 hashes could make them more usable. MD Hash Tool, another extension, or download managers could be modified to use them automatically.
<span class="download"> <a rel="bookmark" href="http://example.com/OOo_2.0.1_.tar.gz">Download OpenOffice.org</a> <span class="hash-md5">e0d123e5f316bef78bfdf5a008837577</span> </span>