On 3/14/10 10:36 AM, Lasse Kliemann wrote: > * Message by -Raymond Toy- from Sun 2010-03-14: > >> On 3/14/10 7:20 AM, Lasse Kliemann wrote: >> >>> * Message by -Raymond Toy- from Sat 2010-03-13: >>> >>> >>>> On 3/13/10 9:17 PM, Lasse Kliemann wrote: >>>> >>>> >>>>> Can someone please point me to OpenPGP key 0xB4900DBC? >>>>> >>>>> It was used to sign the 20a release, but I haven't found it >>>>> anywhere. It seems to be on no keyserver. >>>>> >>>>> >>>>> >>>> Is this for the FreeBSD binaries? >>>> >>>> >>> It is (at least) for Linux and Solaris binaries and for the >>> source code, i.e., these files: >>> >>> cmucl-20a-x86-linux.tar.bz2 >>> cmucl-20a-sparcv9-solaris8.tar.bz2 >>> cmucl-src-20a.tar.bz2 >>> >>> >> Hmm. I made those binaries. I guess I never uploaded the key anywhere, >> and, unfortunately, I no longer have access to the machine that I used >> to sign these. I thought I saved those keys to my current machine but >> it seems that I didn't. >> > Now you know that I'm the only user that cares about signatures. :-) > Well, if we didn't care, we wouldn't have signed them. :-) But it's my fault for not copying my keys to another machine.
>> If you are concerned about these, I can generate new binaries and >> signatures for these files. It will take some time to do, though. >> > So you don't have "master copies" of those files around? We could > just compare checksums then: > > e88dd79bdecf17c2670f5b7aa430cc0414acfde2 cmucl-20a-sparcv9-solaris8.tar.bz2 > f9b3141f9298abe1f69cbb88938ff96a12445eb6 cmucl-20a-x86-linux.tar.bz2 > 4381905b212678f7953920abb49bf24e822d1ace cmucl-src-20a.tar.bz2 > Since I don't have access to the machines that built the sparc and linux binaries, I don't have master copies anymore. I do have a master copy of all the Mac OS X builds, though. What method did you use to compute the checksums? I downloaded cmucl-src-20a.tar.bz2 and the md5 sum is e3e1daa3631d38ed3c3e7601d798aba1. If you don't necessarily need the 20a release, could you try the 2010-03 (or 02) snapshot? I have master copies of those binaries. > Otherwise, if you say that you don't see any indication that > those files have been manipulated, that would suffice as well. > > I can't guarantee they haven't been changed. The snapshots after 2009-12 should match what I built since I uploaded those from the machines I have access to. I haven't verified the signatures, though. Ray
