The Anarcat <[EMAIL PROTECTED]> writes: > On Tue, Dec 09, 2008 at 04:30:36PM -0500, Micah Anderson wrote: >> James Turnbull <[EMAIL PROTECTED]> writes: >> >> > The MD5 hash for the file is here: >> > >> > http://reductivelabs.com/downloads/puppet/puppet-0.24.7rc2.tgz.md5 >> >> As the one who requested this[0], I'm happy that this is being >> provided, thanks! This is significantly better than most projects out >> there already. However, I do think that it could be one step better. The >> point of providing a md5sum (or even a sha1 sum) of a release tarball is >> so that those of us downloading it can verify that the sums match >> locally with what you have provided. This gives us some integrity >> checking to know that the tarball hasn't been tampered with in transit >> (over HTTP that is certainly possible). > > This also struck me as being useful, but "not quite there yet", because > it would have been enough to just paste the checksum in the email since > James PGP-signed his email too... ;)
I've created documentation in the ticket[0] on this issue about how to get a release signing key setup and how to get it deployed into the release process for puppet. I am very interested in any comments for how to improve this process, how to make it more clear, or if there are any glaring omissions. I've also created a wiki page which details how people who download the archive could cryptographically verify it[1], I'd also be interested in discussion or ideas about this! 0. http://projects.reductivelabs.com/issues/show/1777 1. http://reductivelabs.com/trac/puppet/wiki/VerifyingDownloads --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
