Java Reference
In-Depth Information
will find that generally
.zip
files are intended for Windows machines and
.tar.gz
and
.tar.bz2
for UNIX systems. The
.gz
format is decompressed
with the
gzip
utility and
.bz2
files with the
bzip2
utility. The
bzip2
compres-
sion algorithm produces better compression, while
gzip
is “more common.” If
you have a modern Linux distribution, you almost certainly have both installed
already.
Once you have the archive file downloaded, you should download one of
the files linked next to it. These are cryptographic hashes of the legitimate
archive file so you may be (more) assured that the software is the software you
think it is. The first, PGP, is an actual digital signature. If you are already famil-
iar with PGP or GnuPG and are comfortable with them, then by all means use
this. It is, as you know, a superior form of validation compared to MD5. But
explaining how to use digital signatures and GPG keys is beyond our scope
here. As for MD5, however, this is fairly easy.
An MD5 hash is a 128-bit value generated in such a way that it is impos-
sible for two different files of the same length to have the same hash value (ac-
tually, the term used in the literature is “computationally unfeasible,” but for
our purposes that is the same thing). If you run the program
md5sum
with the
tarball file as an argument and you get the same number as the one you down-
loaded, you may be certain that the file you have is an exact match with the
one that was used to produce the number you downloaded from the Web page.
Remember that this is all that is proved by this. If both the file server
and
the
Web page have been compromised, then the fact of a match doesn't mean
much. A
mismatch
however proves that one of the two has been compromised
and you probably shouldn't use the tarball.
You should get in the habit of verifying checksums and digital signatures
where they are supported.
If you are still worried about the dual compromise, well, that's where a
PGP digital signature can help. It not only proves the integrity of the data; it
also proves the identity of the generator. Learn more about PGP (actually, the
Free Software version of it, called GnuPG, at the GnuPG Web site.
4
Once you have downloaded both the
md5
file and the tarball, validate and
extract the tarball (Example 9.1).
Note that we did this in a regular user's home directory. If you just wish
to use
ant
yourself, then this is the way to go. If you wish to make
ant
available
4.
http://www.gnupg.org/
