2010.10.14 00:21, "Dr. Peter Pöml" rašė:
Hi,
Am 13.10.2010 um 22:29 schrieb Rimas Kudelis:
2010.10.13 20:30, "Dr. Peter Pöml" rašė:
You find the md5 (and other hashes) on the "origin" download server:
http://download.documentfoundation.org/libreoffice/testing/3.3.0-beta2/deb/x86/LibO_3.3.0_beta2_Linux_x86_install-deb_en-US.tar.gz.mirrorlist
<...>
Would it be possible to put up an md5sum file similar to:
http://download.openoffice.org/md5sums/3.2.1_md5sums.txt
so that downloads can be checked?
I would generally recommend to use a hash from the download server for
reference, and not from a mirror.
The crypto hashes need to be made more present on the download page. Sorry that
you had to look so hard, I hope we can improve on this soon!
I still think we should provide md5 hashes for download on the mirrors
too. That place is pretty convenient, many would expect md5sums to be
there, so I don't see a reason not to do that.
Well, I think that in the first place the hashes should be provided in a
well-visible place for the user, which is on the download page (not necessarily
displayed there, but linked there. That's the point that everybody passes. And
people shouldn't have to search hard (or ask around) for this info. Only few
people will look directly on a mirror. And with all files on mirrors there's
the security issue.
I just don't think these options are exclusive. A person bad enough to
hack the distribution files will have no problem generating a
"corrected" md5sums file anyway. We don't have to promote those md5sums
files, but I don't see a big reason for them to not exist at all.
Rimas
--
To unsubscribe, e-mail to [email protected]
All messages you send to this list will be publicly archived and cannot be
deleted.
List archives are available at http://www.documentfoundation.org/lists/mirrors/
