Hey Charles, 2011/2/25 Charles Lepple <[email protected]>
> On Fri, Feb 25, 2011 at 3:21 AM, Arnaud Quette <[email protected]> > wrote: > > > > > > 2011/2/25 Charles Lepple <[email protected]> > >> > >> On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette <[email protected]> > >> wrote: > >> > Hi Charles, > >> > > >> > 2011/2/18 Charles Lepple <[email protected]> > >> >> > >> >> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote: > >> >> > >> >> Hi John, > >> >> > >> >> 2011/1/17 John Bayly > >> >>> > >> >>> On 14/01/2011 20:40, Arnaud Quette wrote: > >> >>>> > >> >>>> Author: aquette > >> >>>> Date: Fri Jan 14 20:40:06 2011 > >> >>>> New Revision: 2832 > >> >>>> URL: http://trac.networkupstools.org/projects/nut/changeset/2832 > >> >>>> > >> >>>> > >> >>>> > >> >>>> +link: > http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature] > >> >>> > >> >>> May I suggest that you also provide checksums for the tarball? I'm > >> >>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As > >> >>> it's been > >> >>> downloaded from the NUT website, I know the odds of the source being > >> >>> tainted > >> >>> are astronomical, but if it's for a distribution, I thought I'd be > >> >>> extra > >> >>> cautious. > >> >>> As it is I've verified the GPG sig (never used it before) and used > the > >> >>> computed SHA sum. > >> >> > >> >> I've added a SHA256 hash, and referenced it in the download section: > >> >> http://www.networkupstools.org/download.html > >> >> > >> >> I've not yet updated the documentation, but it's simple as > downloading > >> >> the > >> >> nut archive and the matching .sha256 file. Then using: > >> >> $ sha256sum -c nut-2.6.0.tar.gz.sha256 > >> >> > >> >> Arnaud, > >> >> I go through a similar set of steps for Fink packages. If there is a > >> >> GPG > >> >> signature, I'll verify that, since it provides a little more > >> >> chain-of-trust > >> >> information. However, if I am just downloading a single file, it is > >> >> typically easier to just verify the hash by inspection - that is, > with > >> >> the > >> >> SHA256 on the web page rather than a separate file download. > >> >> Also, there is a bit more of an audit trail if the hash is in our web > >> >> pages in SVN. > >> > > >> > I may be too far away, in other consideration... > >> > but, are you saying that it would be better to embed the SHA256 hash > >> > directly on the web page, or simply that searching for this file may > be > >> > too > >> > hard for the user? > >> > > >> > for the former, the web page always need a modification for new > >> > publication > >> > (svn commit then push on www.n.o). So changing the stable release > name, > >> > and > >> > at the same time adding the hash would not be a problem. > >> > >> I like this because there is a history of the hashes in SVN. The > >> .sha256 file is not version controlled. > > > > nor the root file it's hashing... > > > >> > >> > for the latter, the file is named <release-file>.sha256, so for > example > >> > nut-2.6.0.tar.gz.sha256, which allows checking automation. > >> > >> I guess I'm not sure I see the advantage of putting it in a separate > file. > > > > I see no problem. > > can you please do the mod? > > > > cheers, > > Arnaud > > Committed as r2910. > thanks, I've just 'moved it to prod'. note that I will however leave the .sha256 file available in the sources/ dir, and will distribute future files too. Documentation will be using it (ie 'sha256sum -c nut-X.Y.Z.tar.gz.sh256') since I personally find it more convenient, and automatable. cheers, Arnaud
_______________________________________________ Nut-upsdev mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
