On 25/02/2011 20:35, Arnaud Quette wrote:
Hey Charles,
2011/2/25 Charles Lepple <[email protected] <mailto:[email protected]>>
On Fri, Feb 25, 2011 at 3:21 AM, Arnaud Quette
<[email protected] <mailto:[email protected]>> wrote:
>
>
> 2011/2/25 Charles Lepple <[email protected]
<mailto:[email protected]>>
>>
>> On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette
<[email protected] <mailto:[email protected]>>
>> wrote:
>> > Hi Charles,
>> >
>> > 2011/2/18 Charles Lepple <[email protected]
<mailto:[email protected]>>
>> >>
>> >> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:
>> >>
>> >> Hi John,
>> >>
>> >> 2011/1/17 John Bayly
>> >>>
>> >>> On 14/01/2011 20:40, Arnaud Quette wrote:
>> >>>>
>> >>>> Author: aquette
>> >>>> Date: Fri Jan 14 20:40:06 2011
>> >>>> New Revision: 2832
>> >>>> URL:
http://trac.networkupstools.org/projects/nut/changeset/2832
>> >>>>
>> >>>>
>> >>>>
>> >>>>
+link:http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]
>> >>>
>> >>> May I suggest that you also provide checksums for the
tarball? I'm
>> >>> updating the FreeBSD port, and wanted to verify the SHA256
sum. As
>> >>> it's been
>> >>> downloaded from the NUT website, I know the odds of the
source being
>> >>> tainted
>> >>> are astronomical, but if it's for a distribution, I thought
I'd be
>> >>> extra
>> >>> cautious.
>> >>> As it is I've verified the GPG sig (never used it before)
and used the
>> >>> computed SHA sum.
>> >>
>> >> I've added a SHA256 hash, and referenced it in the download
section:
>> >> http://www.networkupstools.org/download.html
>> >>
>> >> I've not yet updated the documentation, but it's simple as
downloading
>> >> the
>> >> nut archive and the matching .sha256 file. Then using:
>> >> $ sha256sum -c nut-2.6.0.tar.gz.sha256
>> >>
>> >> Arnaud,
>> >> I go through a similar set of steps for Fink packages. If
there is a
>> >> GPG
>> >> signature, I'll verify that, since it provides a little more
>> >> chain-of-trust
>> >> information. However, if I am just downloading a single
file, it is
>> >> typically easier to just verify the hash by inspection -
that is, with
>> >> the
>> >> SHA256 on the web page rather than a separate file download.
>> >> Also, there is a bit more of an audit trail if the hash is
in our web
>> >> pages in SVN.
>> >
>> > I may be too far away, in other consideration...
>> > but, are you saying that it would be better to embed the
SHA256 hash
>> > directly on the web page, or simply that searching for this
file may be
>> > too
>> > hard for the user?
>> >
>> > for the former, the web page always need a modification for new
>> > publication
>> > (svn commit then push on www.n.o). So changing the stable
release name,
>> > and
>> > at the same time adding the hash would not be a problem.
>>
>> I like this because there is a history of the hashes in SVN. The
>> .sha256 file is not version controlled.
>
> nor the root file it's hashing...
>
>>
>> > for the latter, the file is named <release-file>.sha256, so
for example
>> > nut-2.6.0.tar.gz.sha256, which allows checking automation.
>>
>> I guess I'm not sure I see the advantage of putting it in a
separate file.
>
> I see no problem.
> can you please do the mod?
>
> cheers,
> Arnaud
Committed as r2910.
thanks, I've just 'moved it to prod'.
note that I will however leave the .sha256 file available in the
sources/ dir, and will distribute future files too.
Documentation will be using it (ie 'sha256sum -c
nut-X.Y.Z.tar.gz.sh256') since I personally find it more convenient,
and automatable.
cheers,
Arnaud
Just realised that you added the checksum a while ago. Thanks for that.
John
_______________________________________________
Nut-upsdev mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
