On 18/08/17 09:23, Carsten Haitzler (The Rasterman) wrote: > On Thu, 17 Aug 2017 17:41:39 +0200 maderios <mader...@gmail.com> said: > >> Hi >> Enlightenment 21.9 is out. Where can I find checksum? >> Thanks > > we don't provide checksums. > > technically just the https ssl cert should be enough to verify that the source > is correct. if the source (e.org) were compromised then the checksum could > also > be compromised to match. if things were delivered over http (non-ssl) then a > checksum would help avoid a MITM modifying the tarball (but they could modify > everything in-flight including checksums too if smart enough). >
There is a sha256sum for each tarball in the News announcement and release email, this was generated before I uploaded the tarballs and once I uploaded them I downloaded them again and confirmed that the tarballs I downloaded have a matching checksum. As raster said we don't upload the checksum to the download server as a separate file. If there was enough demand I guess we could and I could also sign it with my GPG key which would make detecting tampering possible. I know that if a checksum and a signature are present in openSUSE spec files our build service will use them to verify the source code, but to date we only really have that set up for core packages. -- Simon Lees (Simotek) http://simotek.net Emergency Update Team keybase.io/simotek SUSE Linux Adelaide Australia, UTC+10:30 GPG Fingerprint: 5B87 DB9D 88DC F606 E489 CEC5 0922 C246 02F0 014B ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ enlightenment-users mailing list enlightenment-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/enlightenment-users
