At Sat, 29 Nov 2014 21:44:02 +0000, laigualdad wrote: > >I'm updating it to point to 2014.10.07 now. > > OK then, no need for me to add it to the bug tracker. > > I will add a note about the expired domain though. > > And...you were right about the file verification methods being used, > there is no issue. It was just my paranoia getting ahead of rational > thought. > > Thanks! :)
You're welcome, and don't forget to Cc: the list! -- Happy hacking, ~ Luke Shumaker > On November 29, 2014 1:41:31 PM EST, Luke Shumaker <[email protected]> > wrote: > >At Sat, 29 Nov 2014 01:07:44 +0000, > >laigualdad wrote: > >> The main repo is repo.parabola.nu, right? I presume that is the one > >> that the others sync with. > > > >Yes; though some are probably trying to sync with > >repo.parabolagnulinux.org, which should be the same server, but the > >domain has expired. > > > >> There is a directory called "latest" which contains the image from > >> last year. :) It looks like potential confusion could be prevented > >> by simply deleting it, since the "2013.09.01" directory is > >> identical. > > > >If you browse to <https://repo.parabola.nu/iso/>, you can see that > >"latest" is a symlink to "2013.09.01". > > > >It was never updated to point to "2014.06.01" because nobody was > >willing to sign the ISO, as it was contributed instead of created by > >one of the normal developers (he's a normal contributor now, but > >wasn't at the time). > > > >I'm updating it to point to 2014.10.07 now. > > > >> The other repos that are not identical simply seem to have not > >> synced in a while, but I know that's typical in a small distro. > >> > >> In the most recent directory, "2014.10.07", an .sfv (Simple > >> verification) file is provided rather than a checksum > >> file. Scratching my head at this. Before now, I'd never even heard > >> of SFV. A quick search gives me many sources saying that SFV cannot > >> be used to verify a file's authenticity. Even MD5 hashes are > >> better. However, these days, we shouldn't use anything less than > >> SHA-2 hashes (sha256sum, for example), because everything weaker has > >> been broken! > > > >The checksums are only a quick check if the file/download was > >corrupted; authenticity should be verified with the PGP '.sig' file. > > > >-- > >Happy hacking, > >~ Luke Shumaker > _______________________________________________ Dev mailing list [email protected] https://lists.parabola.nu/mailman/listinfo/dev
