Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-12-06 11:03, Marcos Douglas B. Santos wrote: Windows just isn't fun. Long live FreeBSD and Linux. I believe you compile FPC on Linux, right? So, why do you do the same on Windows? It's pretty easy... FreeBSD only. And yes, I do compile every FPC release under Windows to get a native 64-bit version. But normally I have a starting compiler. On my work system (with no admin rights), I couldn't install the official FPC. But in the end I managed - just had to jump through a couple of hoops. My commant "Windows just isn't fun." to to Windows in general. Compared to Unix based systems, I can install and do anything in my $HOME directory, but under Windows I can't even run most installers - even though I plan to install to my own profile only. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Tue, Dec 5, 2017 at 10:13 PM, Graeme Geldenhuys wrote: > > Windows just isn't fun. Long live FreeBSD and Linux. I believe you compile FPC on Linux, right? So, why do you do the same on Windows? It's pretty easy... Best, Marcos Douglas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-12-03 22:46, Tomas Hajny wrote: Similarly, MS Windows would probably complain when trying to run an incomplete installer. Yes, Windows 10 tells me the official FPC installer contains a virus and dually deleted the download (without giving me a choice). I downloaded from SF.net. The other issue being that the official FPC installer can't be run under a non-Admin account under Windows. I don't have admin access on my work laptop. Thanks to Michael van Canneyt for telling me about the Inno Setup 3rd-party unpacker tool. Hence I had to manually bootstrap FPC 3.0.2 and 3.0.4 on that system. Windows just isn't fun. Long live FreeBSD and Linux. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Mon, December 4, 2017 15:01, Martok wrote: > >>> SourceForge gives checksums, too: >> >> true, clicking on the 'i' in the rightmost column shows a popup with md5 >> and sha1 hashes. > Of course, that doesn't prove nobody has tampered with the files as > present on SF.net, which is the entire point of signed releases. That comes back to the point about the root source of trust. The recent discussion was more about the data transfer consistency. > I take it there's also no Debian reproducible build? Not of particular use > to me personally, but I like the idea, especially for a compiler. Debian releases are performed by a Debian maintainer, not the FPC team. IIRC, there have been some changes triggered by this maintainer in an attempt to ensure reproducible builds. Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
>> SourceForge gives checksums, too: > > true, clicking on the 'i' in the rightmost column shows a popup with md5 > and sha1 hashes. Of course, that doesn't prove nobody has tampered with the files as present on SF.net, which is the entire point of signed releases. I take it there's also no Debian reproducible build? Not of particular use to me personally, but I like the idea, especially for a compiler. -- Regards, Martok Ceterum censeo b32079 esse sanandam. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 12/03/2017 01:48 PM, pasc...@piments.com wrote: How do I get off this list ?! the same way you got on it... follow the mailman link attached to every post on th elist, sign in and turn the list off for you... ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list unless* *a signed and pre-paid contract is in effect with us.* ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, 3 Dec 2017 19:46:53 +0100 Benito van der Zander wrote: > SourceForge gives checksums, too: true, clicking on the 'i' in the rightmost column shows a popup with md5 and sha1 hashes. did not see it before. thanks! it helps to verify the download manually, but for automation parsing the website would be necessary. Kardan ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Hi, SourceForge gives checksums, too: Cheers, Benito Am 30.11.2017 um 15:47 schrieb Tomas Hajny: On Thu, November 30, 2017 15:32, kardan wrote: Wow, both of you managed to avoid my actual question. :) On Thu, 30 Nov 2017 13:00:07 +0100 kardan wrote: How can I verify those downloads with shasum or gpg fingerprints)? (FTP and HTTP seem not to be the safest ways these days.) Sourceforge provides HTTPS access, that should be safe enough. Apart from that - no, checksums are not being created as part of the release process at the moment. Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, December 3, 2017 18:49, kardan wrote: > On Sun, 3 Dec 2017 00:33:04 +0100 > "Tomas Hajny" wrote: > >> On Fri, December 1, 2017 00:55, kardan wrote: >> . >> . >> > In your case it would be probably enough to >> > sha256sum $FILES > SHA256SUMS.txt >> > gpg --sign SHA256SUMS.txt >> >> Sorry, but I'm afraid that you miss the point > > In what way? > >> adding checksums requires additional effort from release builders > > Yes, to run a script. Like many others. Then provide such a script that would cover all the cases. Simple, right? >> and they are not convinced about usefulness and/or necessity > > FPC is a niche and if one intends to make it more widespread, best > practice should be followed. More users with slow connection will show Let's say that I'm not convinced that being a niche or not depends on checksums... > up in the future. The best way to verify downloads after continuing a > download is a checksum. I am willing to learn other ways however, if > you teach me how to verify a download (not by just comparing file size). At least .zip and .tar.gz files already contain checksums and the respective unpackers warn you in case of an incomplete file. Similarly, MS Windows would probably complain when trying to run an incomplete installer. I know next to nothing about .dmg files for Mac OS X, but I'm strongly convinced they would behave simmilarly. Ditto for .rpm packages. Have I forgotten something? >> this at the moment (especially if a secure download option is already > > Secure download (HTTPS) does not provide verification. I use ansible > and travis a lot and when a download fails, the build fails. For > example composer silently accepts terminated connections as successfull > downloads. It uses the curl API internally which means the "modern" > curl won't tell you, if the load balancer terminates the connection > after 15 minutes. If your internet is fast enough, you are happy, > otherwise you end up with a file of 25mb instead of 40mb and notice that > tar and composer phar fail. The FPC team isn't responsible for tools used by users. Regardless of the platform, most WWW browsers provide means for checking whether the download was successful / complete, or not. If somebody chooses to use broken tools, well, his or her choice. >> anybody may build the release on his own from the provided sources to >> make 100% sure about the consistency). > > The source can't be downloaded with verification. Apart from that, do It can - see above. Moreover, it's also possible to get the sources from the SVN repository (already HTTPS too). > you imply, that you intend to burden programmers with work the release > team should have done? No, I say that people considering it important have ways for checking consistency. I would be very careful indeed if programming for a nuclear plant; most programmers are not in such a position. >> Nevertheless, if you consider this a priority, you can try to provide >> a complete solution > > Is this a job offer? I can provide a cron script with no cost. Yes, it's a job offer. You can get twice as much money for that job as I do for preparing the OS/2 releases and some other stuff - fair enough? ;-) >> While thinking about the solution, take the following into account: >> >> 1) Releases for all platforms are not created at the same time > > It does not matter when and where files are created, just that they are > served along with valid checksums to verify downloads. . . Alright, that approach assumes that the checksums are created at the build platforms. This implies that the tools used must be supported on all those platforms. I mentioned this point above because the other potential option would be collecting all release files first and running a script on all of them at once to reduce the dependencies and effort for release builders. >> 2) $FILES are scattered across a larger amount of subdirectories > > It also does not matter how cross-mounted the server infrastructure is, > just that files are available and the checksum file is created from > actually present files by a cron job. We can discuss this once the cron job exists. Obviously, a potential cron job needs to be sure that the file is already complete at the time this job runs. This is actually much more difficult than checking the consistency at the user side, btw (let's take the Windows installer as a nice example). >> 3) Release builds are being created by various people > > See 1. The FTP master is on top of that and may ignore details about > creation of files as long as at the time of a download the provided > checksum is correct. I talk about creation of the checksums, not the download time. >> 4) Releases are available from two groups of servers with different >> structure and different maintenance options. One group are SF.net >> mirrors, the other are FTP / HTTP mirrors of the FPC repository. > > Is it really so hard to put a checksum file in the root folder? Root of
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, December 3, 2017 19:56, kardan wrote: > On Sun, 3 Dec 2017 18:59:40 +0100 > Florian Klämpfl wrote: > >> > If your server is able to host files you will be able to generate a >> > checksum file *anywhere* and put it onto it. >> >> Yes, if somebody with shell access to the server finds to time to set >> this up. > > Let's hope someone privileged puts attached file into > https://sourceforge.net/projects/freepascal/files/Source/3.0.4 . . Done. Note that I would _not_ be willing to do the same for all the directories containing some files for 3.0.4 though. Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-12-03 18:56, kardan wrote: Let's hope someone privileged puts attached file into https://sourceforge.net/projects/freepascal/files/Source/3.0.4 I got the same downloads from ftp.freepascal.org and ran the shasum utility against those. I can confirm your SHA256 values are correct. [FPC 3.0.4]$ shasum -a 256 * 244fda03fff870db2dc92b4de4694489874ae8b47342621f42233ff0be318290 SVNfiles-3.0.4.tar.gz 69b3b7667b72b6759cf27226df5eb54112ce3515ff5efb79d95ac14bac742845 fpc-3.0.4.source.tar.gz 2ff94147eb6f20cf4429d31a2c4d8a2fcd011e28d39bc30dfb593ba8ee00448f fpc-3.0.4.source.zip f66514e6f2c2e4e1bb4d554c24b77682ed61c87811ae5dd210f421855e76 fpcbuild-3.0.4.tar.gz 8473fd065d82be033bf303b6d3347c559ca17669f4354f6ca0e78372dde9c1c3 fpcbuild-3.0.4.zip Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Am 03.12.2017 um 19:54 schrieb code dz: > 2017-12-03 18:59 UTC+01:00, Florian Klämpfl : >> Am 03.12.2017 um 18:49 schrieb kardan: >>> Apart from that, do >>> you imply, that you intend to burden programmers with work the release >>> team should have done? >> >> Which release team? We are happy that we managed within 3 month to find >> people being able, willing >> and having the resources to build and upload 3.0.4. That's the situation. >> Not some useless checksum. >> ___ > > this is a scary situation :(predicts a mysterious future of fpc Well, there are two things to differ: releasing and development. Releasing (includes making needed scripts, building itself, testing, uploading) is simply tedious work probably nobody likes. So any additional step makes this worse. Working on new FPC features is another story. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, 3 Dec 2017 18:59:40 +0100 Florian Klämpfl wrote: > > If your server is able to host files you will be able to generate a > > checksum file *anywhere* and put it onto it. > > Yes, if somebody with shell access to the server finds to time to set > this up. Let's hope someone privileged puts attached file into https://sourceforge.net/projects/freepascal/files/Source/3.0.4 This is no recursive and repeatable solution but the very least necessary. If I get a positive response I am willing to invest more time. Thanks! Kardan 69b3b7667b72b6759cf27226df5eb54112ce3515ff5efb79d95ac14bac742845 fpc-3.0.4.source.tar.gz 2ff94147eb6f20cf4429d31a2c4d8a2fcd011e28d39bc30dfb593ba8ee00448f fpc-3.0.4.source.zip f66514e6f2c2e4e1bb4d554c24b77682ed61c87811ae5dd210f421855e76 fpcbuild-3.0.4.tar.gz 8473fd065d82be033bf303b6d3347c559ca17669f4354f6ca0e78372dde9c1c3 fpcbuild-3.0.4.zip 244fda03fff870db2dc92b4de4694489874ae8b47342621f42233ff0be318290 SVNfiles-3.0.4.tar.gz ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
2017-12-03 18:59 UTC+01:00, Florian Klämpfl : > Am 03.12.2017 um 18:49 schrieb kardan: >> Apart from that, do >> you imply, that you intend to burden programmers with work the release >> team should have done? > > Which release team? We are happy that we managed within 3 month to find > people being able, willing > and having the resources to build and upload 3.0.4. That's the situation. > Not some useless checksum. > ___ this is a scary situation :(predicts a mysterious future of fpc ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Am 03.12.2017 um 18:53 schrieb kardan: > On Sun, 3 Dec 2017 18:36:09 +0100 > Florian Klämpfl wrote: > >> Yes. And I were pointing out that your script does not help much as >> it is debian/linux only while we create releases for several >> different OSes. > > Does this mean, you are not able to run bash scripts? Or you > cannot find tools to generate checksums? I do not get your complaint. > > Please do not confuse "serving files for windows" with "files > hosted on a windows server". > > If your server is able to host files you will be able to generate a > checksum file *anywhere* and put it onto it. Yes, if somebody with shell access to the server finds to time to set this up. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Am 03.12.2017 um 18:49 schrieb kardan: > Apart from that, do > you imply, that you intend to burden programmers with work the release > team should have done? Which release team? We are happy that we managed within 3 month to find people being able, willing and having the resources to build and upload 3.0.4. That's the situation. Not some useless checksum. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, 3 Dec 2017 18:36:09 +0100 Florian Klämpfl wrote: > Yes. And I were pointing out that your script does not help much as > it is debian/linux only while we create releases for several > different OSes. Does this mean, you are not able to run bash scripts? Or you cannot find tools to generate checksums? I do not get your complaint. Please do not confuse "serving files for windows" with "files hosted on a windows server". If your server is able to host files you will be able to generate a checksum file *anywhere* and put it onto it. Kardan ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sun, 3 Dec 2017 00:33:04 +0100 "Tomas Hajny" wrote: > On Fri, December 1, 2017 00:55, kardan wrote: > . > . > > In your case it would be probably enough to > > sha256sum $FILES > SHA256SUMS.txt > > gpg --sign SHA256SUMS.txt > > Sorry, but I'm afraid that you miss the point In what way? > adding checksums requires additional effort from release builders Yes, to run a script. Like many others. > and they are not convinced about usefulness and/or necessity FPC is a niche and if one intends to make it more widespread, best practice should be followed. More users with slow connection will show up in the future. The best way to verify downloads after continuing a download is a checksum. I am willing to learn other ways however, if you teach me how to verify a download (not by just comparing file size). > this at the moment (especially if a secure download option is already Secure download (HTTPS) does not provide verification. I use ansible and travis a lot and when a download fails, the build fails. For example composer silently accepts terminated connections as successfull downloads. It uses the curl API internally which means the "modern" curl won't tell you, if the load balancer terminates the connection after 15 minutes. If your internet is fast enough, you are happy, otherwise you end up with a file of 25mb instead of 40mb and notice that tar and composer phar fail. > anybody may build the release on his own from the provided sources to > make 100% sure about the consistency). The source can't be downloaded with verification. Apart from that, do you imply, that you intend to burden programmers with work the release team should have done? > Nevertheless, if you consider this a priority, you can try to provide > a complete solution Is this a job offer? I can provide a cron script with no cost. > While thinking about the solution, take the following into account: > > 1) Releases for all platforms are not created at the same time It does not matter when and where files are created, just that they are served along with valid checksums to verify downloads. > 2) $FILES are scattered across a larger amount of subdirectories It also does not matter how cross-mounted the server infrastructure is, just that files are available and the checksum file is created from actually present files by a cron job. > 3) Release builds are being created by various people See 1. The FTP master is on top of that and may ignore details about creation of files as long as at the time of a download the provided checksum is correct. > 4) Releases are available from two groups of servers with different > structure and different maintenance options. One group are SF.net > mirrors, the other are FTP / HTTP mirrors of the FPC repository. Is it really so hard to put a checksum file in the root folder? > would need to think where the potential SHA256SUMS.txt file should be > stored on both of these groups (or how else it should be made > available). Yes please, every mirror should provide a signed checksum file. Thanks! kardan ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 03/12/17 17:36, Florian Klämpfl wrote: Am 03.12.2017 um 18:20 schrieb kardan: On Fri, 1 Dec 2017 21:02:30 +0100 Florian Klämpfl wrote: And? FPC is not debian/linux only. If you are using windows I recommend to use a one of the many checksum tools to verify downloaded files.> But for that, releases must publish checksums for those files first. Yes. And I were pointing out that your script does not help much as it is debian/linux only while we create releases for several different OSes. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal How do I get off this list ?! thx ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Am 03.12.2017 um 18:20 schrieb kardan: > On Fri, 1 Dec 2017 21:02:30 +0100 > Florian Klämpfl wrote: > >> And? FPC is not debian/linux only. > > If you are using windows I recommend to use a one of the many checksum > tools to verify downloaded files.> But for that, releases must publish > checksums for those files first. Yes. And I were pointing out that your script does not help much as it is debian/linux only while we create releases for several different OSes. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Fri, 1 Dec 2017 21:02:30 +0100 Florian Klämpfl wrote: > And? FPC is not debian/linux only. If you are using windows I recommend to use a one of the many checksum tools to verify downloaded files. But for that, releases must publish checksums for those files first. Another option is to download the file on a server in seconds. Create a checksum and compare it with the one generated on your home computer. Kardan ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Fri, December 1, 2017 00:55, kardan wrote: . . > In your case it would be probably enough to > sha256sum $FILES > SHA256SUMS.txt > gpg --sign SHA256SUMS.txt Sorry, but I'm afraid that you miss the point - adding checksums requires additional effort from release builders and they are not convinced about usefulness and/or necessity of this at the moment (especially if a secure download option is already available and anybody may build the release on his own from the provided sources to make 100% sure about the consistency). Nevertheless, if you consider this a priority, you can try to provide a complete solution - if the additional effort is negligible, the FPC core team _may_ consider using this solution for future releases. While thinking about the solution, take the following into account: 1) Releases for all platforms are not created at the same time (it's often the case that release builds for less common targets are added later). This means that the checksums may not be added at once by a single person (release coordinator) as suggested in one of the posts in this thread. 2) $FILES are scattered across a larger amount of subdirectories on the master server (obviously, this may be scripted, but someone would still need to do it). 3) Release builds are being created by various people on different platforms (*nix, MS Windows, OS/2, etc.) with varying level of automation (it isn't always that everything is a matter of a single make command followed by an upload). These platforms may not have the tools mentioned above, or at least not have them installed by default. Different make targets are used on different platforms due to differences in the installation package formats. 4) Releases are available from two groups of servers with different structure and different maintenance options. One group are SF.net mirrors, the other are FTP / HTTP mirrors of the FPC repository. You would need to think where the potential SHA256SUMS.txt file should be stored on both of these groups (or how else it should be made available). Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Sat, 2 Dec 2017 21:20:17 +0100 (CET) mar...@stack.nl (Marco van de Voort) wrote: > In our previous episode, Mattias Gaertner said: > > The doc-chm.zip has only 7.6mb, while the doc-html.zip has 17.9mb. > > > > Reason is that many html files are empty. For example: rtl.chm > > classes/tthread.html > > > > Should I report a bug? > > Yes, please do. I won't be able to follow up on short notice though. > Probably christmas. Done https://bugs.freepascal.org/view.php?id=32765 Mattias ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
In our previous episode, Mattias Gaertner said: > The doc-chm.zip has only 7.6mb, while the doc-html.zip has 17.9mb. > > Reason is that many html files are empty. For example: rtl.chm > classes/tthread.html > > Should I report a bug? Yes, please do. I won't be able to follow up on short notice though. Probably christmas. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Hi, The doc-chm.zip has only 7.6mb, while the doc-html.zip has 17.9mb. Reason is that many html files are empty. For example: rtl.chm classes/tthread.html Should I report a bug? Mattias ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Am 01.12.2017 um 00:55 schrieb kardan: > On Thu, 30 Nov 2017 23:26:31 +0100 > "Tomas Hajny" wrote: > >> Checksums may indeed be created / calculated rather easily. However, >> that is not enough. The checksums must get to the end user in secured >> way as well, otherwise it makes no sense. What is the appropriate >> mechanism for that from your point of view? Just listing on our WWW >> pages (since these may be accessed via HTTPS to avoid modification on >> the way) and copying the checksum to the WWW pages with links >> (somewhat time-consuming, unfortunately, due to many download pages >> and many files - I guess that we may provide you with a possibility >> to do this for the next release if you like ;-) )? Or having a signed >> (how - which trusted signature source?) checksum file accompanying >> each and every released file (cluttering the release directories >> considerably)? Or? > > This is part of one of my install scripts for latest vagrant: > > VAGRANT_DEB=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_i686.deb > VAGRANT_SUMS=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_SHA256SUMS > until [ \ > "$(sha256sum vagrant_2.0.1_i686.deb)" = \ > "$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ] > do wget -c $VAGRANT_DEB; done > sudo dpkg -i $(basename $VAGRANT_DEB) And? FPC is not debian/linux only. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-11-30 23:55, kardan wrote: In your case it would be probably enough to sha256sum $FILES > SHA256SUMS.txt gpg --sign SHA256SUMS.txt Yup, that's exactly what I had in mind too. Thanks for sharing. Regards, Graeme ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, 30 Nov 2017 23:26:31 +0100
"Tomas Hajny" wrote:
> Checksums may indeed be created / calculated rather easily. However,
> that is not enough. The checksums must get to the end user in secured
> way as well, otherwise it makes no sense. What is the appropriate
> mechanism for that from your point of view? Just listing on our WWW
> pages (since these may be accessed via HTTPS to avoid modification on
> the way) and copying the checksum to the WWW pages with links
> (somewhat time-consuming, unfortunately, due to many download pages
> and many files - I guess that we may provide you with a possibility
> to do this for the next release if you like ;-) )? Or having a signed
> (how - which trusted signature source?) checksum file accompanying
> each and every released file (cluttering the release directories
> considerably)? Or?
This is part of one of my install scripts for latest vagrant:
VAGRANT_DEB=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_i686.deb
VAGRANT_SUMS=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_SHA256SUMS
until [ \
"$(sha256sum vagrant_2.0.1_i686.deb)" = \
"$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ]
do wget -c $VAGRANT_DEB; done
sudo dpkg -i $(basename $VAGRANT_DEB)
Wikipedia provides gpg signatures for each release file:
gpg --recv-keys 9D3BB7B0
URL=https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz
wget $URL{,.sig}
gpg --verify $(basename $URL).sig
Riseup.net takes it one step further and sign important statements and
certificates:
https://riseup.net/en/canary
https://riseup.net/en/security/network-security/riseup-ca
In your case it would be probably enough to
sha256sum $FILES > SHA256SUMS.txt
gpg --sign SHA256SUMS.txt
Thanks!
Kardan
___
fpc-pascal maillist - fpc-pascal@lists.freepascal.org
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-11-30 23:35, Tomas Hajny wrote: Obviously, there are more secure mechanisms (let's take Debian packages with their signatures as an example), but these require more overhead (especially with different release makers for different Not every release maker needs to create there own checksums. Only one person needs to do a checksum against all release files in a directory (at the end of the release builds). You then have a CHECKSUM file listing all release files. If you want to be extra paranoid, then yes, use GnuPG and sign that file. Again, you only need one GnuPG key used by all Free Pascal releases. Creating the GnuPG key is a once off task. Generating the summary checksum file and signing it can all be scripted (probably in the same script that uploads all the release files to the server). Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-11-30 23:35, Tomas Hajny wrote: Sorry, I know that this is being done, but I don't see how is that more secure than just downloading the file via HTTPS. Not all files are downloaded via a secure protocol like HTTPS. That's true for FreeBSD, Linux and I would guess even for Free Pascal's releases (main site and whatever mirrors are available). I also prefer FTP over HTTP(S) for downloading ISO's or large files - thus an untrusted connection, but fast. I'd rather have some checksum than nothing - simply for verifying that my download is not corrupt in any way. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote: > On 2017-11-30 22:26, Tomas Hajny wrote: >> Checksums may indeed be created / calculated rather easily. However, >> that >> is not enough. The checksums must get to the end user in secured way as >> well, otherwise it makes no sense. > > > As the saying goes... Take a page from the playbook of FreeBSD or any > Linux distro for that matter. > >http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ . . Sorry, I know that this is being done, but I don't see how is that more secure than just downloading the file via HTTPS. As long as the checksums are not signed, they may be tampered with (or not) the same way as the original files. Obviously, there are more secure mechanisms (let's take Debian packages with their signatures as an example), but these require more overhead (especially with different release makers for different targets) and still end up with requiring some root trusted element at the beginning (which usually needs to be downloaded via the same mechanisms as the installation files in the end which implies that it's still as secure as the download channel used for getting the files). Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-11-30 22:26, Tomas Hajny wrote: Checksums may indeed be created / calculated rather easily. However, that is not enough. The checksums must get to the end user in secured way as well, otherwise it makes no sense. As the saying goes... Take a page from the playbook of FreeBSD or any Linux distro for that matter. http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ or http://www.mirrorservice.org/sites/releases.ubuntu.com/17.10/ In summary, a single CHECKSUM file listing each file and its related checksum. This is a standard layout that many tools can handle and can be used to verify many files in one go. There are tools that can generate these complete files too. On a side note: MD5 and SHA1 is loosing popularity (but still better than nothing). SHA256 or SHA512 should now be the norm. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, November 30, 2017 22:46, Graeme Geldenhuys wrote: > On 2017-11-30 14:47, Tomas Hajny wrote: >> Sourceforge provides HTTPS access, that should be safe enough. Apart >> from >> that - no, checksums are not being created as part of the release >> process >> at the moment. >> >> Tomas > > That really should be fixed. As someone that has many many releases is > my years, in is hardly any effort creating such checksums - and can be > easily scripted. Checksums may indeed be created / calculated rather easily. However, that is not enough. The checksums must get to the end user in secured way as well, otherwise it makes no sense. What is the appropriate mechanism for that from your point of view? Just listing on our WWW pages (since these may be accessed via HTTPS to avoid modification on the way) and copying the checksum to the WWW pages with links (somewhat time-consuming, unfortunately, due to many download pages and many files - I guess that we may provide you with a possibility to do this for the next release if you like ;-) )? Or having a signed (how - which trusted signature source?) checksum file accompanying each and every released file (cluttering the release directories considerably)? Or? Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On 2017-11-30 14:47, Tomas Hajny wrote: Sourceforge provides HTTPS access, that should be safe enough. Apart from that - no, checksums are not being created as part of the release process at the moment. Tomas That really should be fixed. As someone that has many many releases is my years, in is hardly any effort creating such checksums - and can be easily scripted. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, November 30, 2017 15:32, kardan wrote: > Wow, both of you managed to avoid my actual question. :) > > On Thu, 30 Nov 2017 13:00:07 +0100 > kardan wrote: > >> How can I verify those downloads with shasum or gpg fingerprints)? >> (FTP and HTTP seem not to be the safest ways these days.) Sourceforge provides HTTPS access, that should be safe enough. Apart from that - no, checksums are not being created as part of the release process at the moment. Tomas ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Wow, both of you managed to avoid my actual question. :) On Thu, 30 Nov 2017 13:00:07 +0100 kardan wrote: > How can I verify those downloads with shasum or gpg fingerprints)? > (FTP and HTTP seem not to be the safest ways these days.) Kardan ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
In our previous episode, Pierre Muller said: > > Thanks for the release in progress! > > Please also update > > https://sourceforge.net/projects/freepascal/files/readme.txt/download > > I did this a few minutes ago. > > But I am not sure all releases available on ftp are also available on > SourceForge... Like? ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Le 30/11/2017 à 13:00, kardan a écrit : > Thanks for the release in progress! > Please also update > https://sourceforge.net/projects/freepascal/files/readme.txt/download I did this a few minutes ago. But I am not sure all releases available on ftp are also available on SourceForge... Pierre ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
In our previous episode, kardan said: > How can I verify those downloads with shasum or gpg fingerprints)? (FTP > and HTTP seem not to be the safest ways these days.) > > > Changes that may break backwards compatibility will be documented at: > > http://wiki.freepascal.org/User_Changes_3_0_4 > > "T.B.D." Already fixed, redirected to 3.0.4. > > readme at > > https://sourceforge.net/projects/freepascal/files/ Done ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
Thanks for the release in progress! How can I verify those downloads with shasum or gpg fingerprints)? (FTP and HTTP seem not to be the safest ways these days.) > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 "T.B.D." > For Downloads, please use the FTP server at > ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ It's at ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/ > https://sourceforge.net/projects/freepascal/files/ Please also update https://sourceforge.net/projects/freepascal/files/readme.txt/download ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
In our previous episode, Mattias Gaertner said: > > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > > > Changes that may break backwards compatibility will be documented at: > > http://wiki.freepascal.org/User_Changes_3_0_4 > > That should be > http://wiki.freepascal.org/User_Changes_3.0.4 Thanks, I added a redirect, so the old now also works. Probably bungled it because of svn tags are encodeded that way. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
In our previous episode, Mattias Gaertner said: > > and sourceforge > > > > https://sourceforge.net/projects/freepascal/files/ > > This > https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/ > contains a fpc 3.0.5 as well. > > Is this on purpose? Yes, ios comes from a special branch because of aarch64, and the increased number reflects that, it also was that way with 3.0.2 (3.0.3) See e.g. https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.2 That's all what I know about it though, I haven't followed Apple targets in recent years. ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, 30 Nov 2017 11:04:31 +0100 (CET) mar...@stack.nl (Marco van de Voort) wrote: >[...] > and sourceforge > > https://sourceforge.net/projects/freepascal/files/ This https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/ contains a fpc 3.0.5 as well. Is this on purpose? Mattias ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, 30 Nov 2017 11:04:31 +0100 (CET) mar...@stack.nl (Marco van de Voort) wrote: > Hello, > > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 That should be http://wiki.freepascal.org/User_Changes_3.0.4 Mattias ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
Re: [fpc-pascal] FPC 3.0.4 released!
On Thu, 30 Nov 2017 11:04:31 +0100 (CET) mar...@stack.nl (Marco van de Voort) wrote: > Hello, > > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 > > For Downloads, please use the FTP server at > > ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ This gives: 500 /pub/fpc/dist/3.0.4: No such file or directory Mattias ___ fpc-pascal maillist - fpc-pascal@lists.freepascal.org http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
