On Thu, November 30, 2017 22:46, Graeme Geldenhuys wrote: > On 2017-11-30 14:47, Tomas Hajny wrote: >> Sourceforge provides HTTPS access, that should be safe enough. Apart >> from >> that - no, checksums are not being created as part of the release >> process >> at the moment. >> >> Tomas > > That really should be fixed. As someone that has many many releases is > my years, in is hardly any effort creating such checksums - and can be > easily scripted.
Checksums may indeed be created / calculated rather easily. However, that is not enough. The checksums must get to the end user in secured way as well, otherwise it makes no sense. What is the appropriate mechanism for that from your point of view? Just listing on our WWW pages (since these may be accessed via HTTPS to avoid modification on the way) and copying the checksum to the WWW pages with links (somewhat time-consuming, unfortunately, due to many download pages and many files - I guess that we may provide you with a possibility to do this for the next release if you like ;-) )? Or having a signed (how - which trusted signature source?) checksum file accompanying each and every released file (cluttering the release directories considerably)? Or? Tomas _______________________________________________ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal