On Wed, 15 Apr 2020 at 06:09, Uwe Düffert via lfs-dev <lfs-dev@lists.linuxfromscratch.org> wrote: > > ... > about a certain versioned/timestamped archive matches the checksum of > presumably the same archive fetched from any other mirror. After all, > checksumming is about increasing trust and not about (unnecessarily) > sowing doubts. Now, every mismatch can be considered problem - as it > should. >
Not a solution for everyone but, note that the bootscripts tarball is generated from the Book's sources. So, if a user is able to download a checksum-ed tarball of the Book sources (full trust) and render that locally, the problem goes away, even though the checksum of the locally generated tarball may not match that quoted in the Book (chain oif trust?). -- http://lists.linuxfromscratch.org/listinfo/lfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
