Timestamp headers missing for source downloads

This note is intended for the people that run the Digium download
server. You can ignore it if you aren’t them.

I have long used “/usr/bin/wget -Nr -nd” in a script to download the
Asterisk source code, from ftp.digium.com. This would not retrieve the
source if I already had a copy. Digium recently fiddled with their
download server and wget now reports the following message:

Last-modified header missing – time-stamps turned off.

It then downloads the source file, even though I already have a copy of it.

Also, I have long had to update my script with the current release
number when a new release came out. I now notice that there is a
1.4-current file. That seems nice since I wouldn’t have to update my
script when a new release comes out. However, there is a small problem.
There is a 1.4.10.tar.gz.asc gpg signature, but there isn’t a
1.4-current.tar.gz.asc gpg signature. There isn’t, BTW, any way to
REALLY verify the signature since you do not publish any GPG keys on the
Digium website.

And I offer a thought. I use this code to make sure I have the current
version of Clamav.

get own version

OURVER=clamscan -V | awk -F'[ /]' '{print $2}'

get desired version

VER=dig +short current.cvd.clamav.net txt | awk -F'[":]' '{print $2}'

echo “Our version $OURVER, current version $VER”

if [ “$OURVER” = “$VER” ]
echo "No update needed"
exit 0

That allows me to automate checking the current version and puts no load
on the clamav download server. If you were bored you could think about
doing something similar for Asterisk. An important problem is that the
-V option returns the current version of Asterisk, but not libpri,
zaptel or addons.

I don’t know whether you would like to reduce load on your download
server, but most people do. As security issues with Asterisk become
more important to customers a fast way to verify the software is current
will be helpful.

Please fix the timestamps, provide the gpg signature for -current,
publish a Digium GPG key, and consider using the DNS shortcut to verify
current versions.