Forums

WordPress › Support » Requests and Feedback

Hash of latest.tar.gz (5 posts)

  1. fwaggle
    Member
    Posted 3 years ago #

    Hi there,

    I'm not sure if this is already available, but would it be possible to have a hash of the latest.tar.gz uploaded onto the same site the download comes from? I'm automating roll-outs of WordPress, and I was thinking it'd be nice to have the script check that I'm using an up-to-date version before I start, and I don't want to have it re-download if it's not needed.

    Eg I grab wordpress.org/latest.md5 which should only be a few bytes, I compare it to md5 latest.tar.gz, and if they're different I redownload and extract.

    SHA1, SHA256, MD5, I don't mind... Just something in a text file that we can parse easily in a script to determine if the file's changed and should be re-downloaded.

  2. ClaytonJames
    Member
    Posted 3 years ago #

    I think you can find an md5 hash for all versions on the release archive page.

    http://wordpress.org/download/release-archive/

  3. fwaggle
    Member
    Posted 3 years ago #

    Hi Clayton,

    Thanks for the answer, but that doesn't really help - that looks like it's more geared towards ensuring you downloaded a legitimate copy of a specific version and that it came out correct, it doesn't really help guess what the newest version is, unless your script takes educated stabs in the dark (checks 2.7.2, 2.8.0, etc).

    For future reference of anyone who might google this thread, the closest I've come up with is making a HEAD request for latest.tar.gz, and parsing the version out of the filename given in this line:

    Content-Disposition: attachment; filename=wordpress-2.7.1.tar.gz

    ... which has the desired effect, no need to re-download the whole thing periodically if you already have the latest version. :D

  4. ClaytonJames
    Member
    Posted 3 years ago #

    Eg I grab wordpress.org/latest.md5 which should only be a few bytes, I compare it to md5 latest.tar.gz, and if they're different I redownload and extract.

    I think I may be having a dense moment here. If you have the known md5 of the tar.gz that belongs to the known latest version of wordpress, and you use that to compare against the hash sum of the latest tar.gz posted as available for download, why would your script have to guess at anything? In the event of a negative result, it would be time to download the new version, would it not?

    that looks like it's more geared towards ensuring you downloaded a legitimate copy of a specific version and that it came out correct

    Yes. It is. I believe, that is exactly the intent of using a hash sum. (Forensically speaking, just a numeric representation unique to the content of a file or files.) No two versions of WordPress (different versions, or a corrupted example of the same versions), would ever share the same hash, so why would any script have to take any "educated guesses"? If the hash doesn't match the known valid signature of the known latest version, it's time to re-download, no?

    That matches exactly the desires you expressed in your first post.

    "Eg I grab wordpress.org/latest.md5 which should only be a few bytes, I compare it to md5 latest.tar.gz, and if they're different I redownload and extract...
    ...Just something in a text file that we can parse easily in a script to determine if the file's changed and should be re-downloaded"

    Which makes me not understand this statement at all;

    it doesn't really help guess what the newest version is, unless your script takes educated stabs in the dark (checks 2.7.2, 2.8.0, etc).

    I can't think of a script that would be cable of anticipating the MD5 (or any other algorithm) of a file not yet created. So guessing is out of the equation. It either matches a known signature or it doesn't.

    No matter.. I'm probably just not seeing what you are really trying to accomplish. Hope you find a solution that works for you.

    Cj

  5. fwaggle
    Member
    Posted 2 years ago #

    Hi Cj,

    Sorry for the delay in response.

    Basically what I'd like to do is have an automatic roll-out script of WordPress that self-updates, without repeatedly grabbing latest.tar.gz when it's not necessary.

    The way I figure on doing this is storing the checksum of latest.tar.gz, then if WordPress could store the checksum in say latest.md5, I could simply download that and compare it. A few bytes a day, as opposed to grabbing latest.tar.gz every day.

    My script downloads wordpress.org/latest.md5, I compare it to the md5 of the version I have... if they're different, it downloads latest.tar.gz and extracts it.

    Basically what I was saying about the version numbers is that there's no way to get the MD5 without taking guesses at the most recent version numbers and grabbing them off the changes page, which is probably no easier than any other method you can dream up.

    TL;DR: If WordPress.org would store a simple text file with the MD5 in wordpress.org/latest.md5, it'd make my life a load easier. :D

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags