On 24.09.2009 23:11, Guenter Knauf wrote: > Hi, > here's based on input from Rainer and RĂ¼diger my last trial unless I get > further positive comments instead of disappointing ones ... > highlighted: > http://people.apache.org/~fuankg/testchecksum/testchecksums.sh.html > plaintext: > http://people.apache.org/~fuankg/testchecksum/testchecksums.sh.txt > with .sh extension for download: > http://people.apache.org/~fuankg/testchecksum/testchecksums.sh > > tested on: > - Linux (OpenSuSE) with openssl, gpg, md5sum / sha1sum > - FreeBSD (p.a.o) with openssl and md5 / sha1
I like it. > it will most likely also work correctly on MacOSX. > > If there's acceptance, and we commit it, I will also write some lines to > explain how to use the common spreaded checksum tools to verify tarballs > which we can then either add to the download page; or better add a > separate static html page, and link to it from download page. One important note (and that's what Roy was saying): if users want to really verify a download, they have to use the signature. That's pretty well explained on the download page. We should not give users the impression, a cheap "md5sum -c" is equally fine. Biggest difference: checking the hash only ensures, that your local file fits to the md5 sum. If the server would be hacked, you wouldn't detect a compromised download as long as the md5 was also compromised. The signature check tells you, that the file is the one the guy with the signature signed, and if you also verify whether that guy is in your web of trust, then your download is safe (as long as the signing key is). So I think we should not put much focus on explaining how to check ash, but making it simpler is still nice. Regards, Rainer
