On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette <[email protected]> wrote: > Hi Charles, > > 2011/2/18 Charles Lepple <[email protected]> >> >> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote: >> >> Hi John, >> >> 2011/1/17 John Bayly >>> >>> On 14/01/2011 20:40, Arnaud Quette wrote: >>>> >>>> Author: aquette >>>> Date: Fri Jan 14 20:40:06 2011 >>>> New Revision: 2832 >>>> URL: http://trac.networkupstools.org/projects/nut/changeset/2832 >>>> >>>> >>>> +link:http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature] >>> >>> May I suggest that you also provide checksums for the tarball? I'm >>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As it's been >>> downloaded from the NUT website, I know the odds of the source being tainted >>> are astronomical, but if it's for a distribution, I thought I'd be extra >>> cautious. >>> As it is I've verified the GPG sig (never used it before) and used the >>> computed SHA sum. >> >> I've added a SHA256 hash, and referenced it in the download section: >> http://www.networkupstools.org/download.html >> >> I've not yet updated the documentation, but it's simple as downloading the >> nut archive and the matching .sha256 file. Then using: >> $ sha256sum -c nut-2.6.0.tar.gz.sha256 >> >> Arnaud, >> I go through a similar set of steps for Fink packages. If there is a GPG >> signature, I'll verify that, since it provides a little more chain-of-trust >> information. However, if I am just downloading a single file, it is >> typically easier to just verify the hash by inspection - that is, with the >> SHA256 on the web page rather than a separate file download. >> Also, there is a bit more of an audit trail if the hash is in our web >> pages in SVN. > > I may be too far away, in other consideration... > but, are you saying that it would be better to embed the SHA256 hash > directly on the web page, or simply that searching for this file may be too > hard for the user? > > for the former, the web page always need a modification for new publication > (svn commit then push on www.n.o). So changing the stable release name, and > at the same time adding the hash would not be a problem.
I like this because there is a history of the hashes in SVN. The .sha256 file is not version controlled. > for the latter, the file is named <release-file>.sha256, so for example > nut-2.6.0.tar.gz.sha256, which allows checking automation. I guess I'm not sure I see the advantage of putting it in a separate file. -- - Charles Lepple _______________________________________________ Nut-upsdev mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
