Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-14052

Download verification directions are incorrect for linux



    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • documentation
    • None
    • website



      The above is linked to from the kafka download page (https://kafka.apache.org/downloads), and it contains incorrect instructions for verifying the release.

      The .sha512 files for the downloads are all in this format:

      kafka_2.13-3.2.0.tgz: 736A1298 23B058DC 10788D08 93BDE47B 6F39B9E4 972F9EAC 2D5C9E85 E51E4773 44C6F1E1 EBD126CE 34D5FD43 0EB07E55 FDD60D60 CB541F1D 48655C0E BC0A4778 

      These files cannot be used to easily verify the expected hash using the procedure described in the verification website.  The website says to use:

      sha512sum file 

      ...which doesn't do any hash comparison; it only tells you what the file's hash is, and it is up to the user to manually compare its output with the differently formatted output in the .sha512 file, which is error-prone and a chore.

      Expected result:

      I would expect to be able to do 

      sha512sum -c file

      ...like any normal download.

      If the format of the .sha512 files cannot be changed to be compatible with the linux shasum program, then please update the website to describe the proper way to compare hashes.  The best way seems to be a script like this:

      SHA=$(mktemp); gpg --print-md SHA512 $FILE > $SHA && diff $SHA $FILE.sha512 && echo "SHA checks out OK."

      (where FILE is the downloaded tarball.)

      I looked into providing a PR for the verification page, but that is an Apache-wide web page and probably is not publicly available.




            Unassigned Unassigned
            invadergir M Sesterhenn
            0 Vote for this issue
            1 Start watching this issue