2011/3/1 John Bayly <[email protected]> > On 01/03/2011 15:20, Arnaud Quette wrote: > > > > 2011/3/1 John Bayly <[email protected]> > >> On 25/02/2011 20:35, Arnaud Quette wrote: >> >> Hey Charles, >> >> 2011/2/25 Charles Lepple <[email protected]> >> >>> On Fri, Feb 25, 2011 at 3:21 AM, Arnaud Quette <[email protected]> >>> wrote: >>> > >>> > >>> > 2011/2/25 Charles Lepple <[email protected]> >>> >> >>> >> On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette < >>> [email protected]> >>> >> wrote: >>> >> > Hi Charles, >>> >> > >>> >> > 2011/2/18 Charles Lepple <[email protected]> >>> >> >> >>> >> >> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote: >>> >> >> >>> >> >> Hi John, >>> >> >> >>> >> >> 2011/1/17 John Bayly >>> >> >>> >>> >> >>> On 14/01/2011 20:40, Arnaud Quette wrote: >>> >> >>>> >>> >> >>>> Author: aquette >>> >> >>>> Date: Fri Jan 14 20:40:06 2011 >>> >> >>>> New Revision: 2832 >>> >> >>>> URL: http://trac.networkupstools.org/projects/nut/changeset/2832 >>> >> >>>> >>> >> >>>> >>> >> >>>> >>> >> >>>> +link: >>> http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature] >>> >> >>> >>> >> >>> May I suggest that you also provide checksums for the tarball? I'm >>> >> >>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As >>> >> >>> it's been >>> >> >>> downloaded from the NUT website, I know the odds of the source >>> being >>> >> >>> tainted >>> >> >>> are astronomical, but if it's for a distribution, I thought I'd be >>> >> >>> extra >>> >> >>> cautious. >>> >> >>> As it is I've verified the GPG sig (never used it before) and used >>> the >>> >> >>> computed SHA sum. >>> >> >> >>> >> >> I've added a SHA256 hash, and referenced it in the download >>> section: >>> >> >> http://www.networkupstools.org/download.html >>> >> >> >>> >> >> I've not yet uphdated the documentation, but it's simple as >>> downloading >>> >>> >> >> te >>> >> >> nut archive and the matching .sha256 file. Then using: >>> >> >> $ sha256sum -c nut-2.6.0.tar.gz.sha256 >>> >> >> >>> >> >> Arnaud, >>> >> >> I go through a similar set of steps for Fink packages. If there is >>> a >>> >> >> GPG >>> >> >> signature, I'll verify that, since it provides a little more >>> >> >> chain-of-trust >>> >> >> information. However, if I am just downloading a single file, it is >>> >> >> typically easier to just verify the hash by inspection - that is, >>> with >>> >> >> the >>> >> >> SHA256 on the web page rather than a separate file download. >>> >> >> Also, there is a bit more of an audit trail if the hash is in our >>> web >>> >> >> pages in SVN. >>> >> > >>> >> > I may be too far away, in other consideration... >>> >> > but, are you saying that it would be better to embed the SHA256 hash >>> >> > directly on the web page, or simply that searching for this file may >>> be >>> >> > too >>> >> > hard for the user? >>> >> > >>> >> > for the former, the web page always need a modification for new >>> >> > publication >>> >> > (svn commit then push on www.n.o). So changing the stable release >>> name, >>> >> > and >>> >> > at the same time adding the hash would not be a problem. >>> >> >>> >> I like this because there is a history of the hashes in SVN. The >>> >> .sha256 file is not version controlled. >>> > >>> > nor the root file it's hashing... >>> > >>> >> >>> >> > for the latter, the file is named <release-file>.sha256, so for >>> example >>> >> > nut-2.6.0.tar.gz.sha256, which allows checking automation. >>> >> >>> >> I guess I'm not sure I see the advantage of putting it in a separate >>> file. >>> > >>> > I see no problem. >>> > can you please do the mod? >>> > >>> > cheers, >>> > Arnaud >>> >>> Committed as r2910. >>> >> >> thanks, I've just 'moved it to prod'. >> >> note that I will however leave the .sha256 file available in the sources/ >> dir, and will distribute future files too. >> Documentation will be using it (ie 'sha256sum -c nut-X.Y.Z.tar.gz.sh256') >> since I personally find it more convenient, and automatable. >> >> cheers, >> Arnaud >> >> Just realised that you added the checksum a while ago. Thanks for that. >> > > welcome, we kept you cc'ed for that ;-) > btw, any comment on the .sha256 file Vs. hash inside the HTML page? > > cheers, > Arnaud > -- > Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com > Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/ > Debian Developer - http://www.debian.org > Free Software Developer - http://arnaud.quette.free.fr/ > > I was getting them, but have been fairly manic recently so this is the > first time I managed to check. > > As for the file vs. inside HTML, if it's an either-or choice, I'd go with > the file as (as you say) it's more scriptable. I suppose I'm more used to > checksums rather than GPG signatures as it's how FreeBSD verifies ports (I > had to install the gnupg port just to verify the signature :-) > Personally though, I think the more options the better, I can't see any > disadvantage with both options. >
indeed, thanks for the confirmation. cheers, Arnaud
_______________________________________________ Nut-upsdev mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/nut-upsdev
