[
https://issues.apache.org/jira/browse/FLEX-33195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13451849#comment-13451849
]
Bertrand Delacretaz commented on FLEX-33195:
--------------------------------------------
Thanks - so IIUC that code makes sure md5 digests are downloaded from
https://www.apache.org/dist/, and compares them with the actual md5 of the
downloaded file.
My knowledge of Flex is very limited, but looking at src/InstallApacheFlex.mxml
it seems like a single instance of that MD5CompareUtil class is used for all
verifications, and the MD5CompareUtil.verifyMD5 method stores state in that
instance's variables. Assuming the downloads run asynchronously, is that
robust? Shouldn't each download use its own MD5CompareUtil instance?
> InstallApacheFlex mechanism to check digests on downloaded files
> ----------------------------------------------------------------
>
> Key: FLEX-33195
> URL: https://issues.apache.org/jira/browse/FLEX-33195
> Project: Apache Flex
> Issue Type: Sub-task
> Components: InstallApacheFlex
> Reporter: Bertrand Delacretaz
> Assignee: Erik de Bruin
> Priority: Minor
> Fix For: InstalApacheFlex 1.0
>
>
> In FLEX-33188, Om writes that the installer does check md5 digests of the
> files that it downloads.
> IMO this mechanism must be documented here, so that PPMC members can verify
> it - best is probably to add a link here to the code in question (under
> http://svn.apache.org/repos/asf/incubator/flex/ ) and explain if needed.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
