On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:
Hi John,
2011/1/17 John Bayly
On 14/01/2011 20:40, Arnaud Quette wrote:
Author: aquette
Date: Fri Jan 14 20:40:06 2011
New Revision: 2832
URL: http://trac.networkupstools.org/projects/nut/changeset/2832
+link:http://www.networkupstools.org/source/2.6/
nut-2.6.0.tar.gz.sig[signature]
May I suggest that you also provide checksums for the tarball? I'm
updating the FreeBSD port, and wanted to verify the SHA256 sum. As
it's been downloaded from the NUT website, I know the odds of the
source being tainted are astronomical, but if it's for a
distribution, I thought I'd be extra cautious.
As it is I've verified the GPG sig (never used it before) and used
the computed SHA sum.
I've added a SHA256 hash, and referenced it in the download section:
http://www.networkupstools.org/download.html
I've not yet updated the documentation, but it's simple as
downloading the nut archive and the matching .sha256 file. Then using:
$ sha256sum -c nut-2.6.0.tar.gz.sha256
Arnaud,
I go through a similar set of steps for Fink packages. If there is a
GPG signature, I'll verify that, since it provides a little more chain-
of-trust information. However, if I am just downloading a single file,
it is typically easier to just verify the hash by inspection - that
is, with the SHA256 on the web page rather than a separate file
download.
Also, there is a bit more of an audit trail if the hash is in our web
pages in SVN.
Just my $0.02.
- Charles
_______________________________________________
Nut-upsdev mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
