Some of you might be aware that the instructions for verifying our
*-CHECKSUM files on Windows have been broken since we moved to SHA256.
Previously, we linked users to a sha1sum.exe built by the GnuPG
project. With SHA256, we don't have that ability.
Fortunately, the good folks working on MingW
On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
Some of you might be aware that the instructions for verifying our
*-CHECKSUM files on Windows have been broken since we moved to SHA256.
Previously, we linked users to a sha1sum.exe built by the GnuPG
project. With SHA256, we don't
On Tue, Nov 24, 2009 at 9:25 AM, Jesse Keating jkeat...@redhat.com wrote:
On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
Some of you might be aware that the instructions for verifying our
*-CHECKSUM files on Windows have been broken since we moved to SHA256.
Previously, we linked
On 11/24/2009 05:25 PM, Jesse Keating wrote:
On Tue, 2009-11-24 at 10:33 -0500, Todd Zullinger wrote:
(I really don't want to maintain the mingw32-sha256sum package for
Fedora, as it's just a quick and dirty hack to built a small subset of
of coreutils for Windows.)
Thoughts?
Well, if you
Jesse Keating wrote:
Well, if you have to use a tool from the project, to verify other
bits from the project, the verification just became a lot less
trusted. If you don't trust the bits you got from the project, why
would you trust the tool the project gives you to verify the bits?
Here use
Jeroen van Meeuwen wrote:
The goal is, of course, to verify the .iso against what is listed as
it's sha256sum. Whether the tools ultimately come from the same
source doesn't matter. It should, though, be advisable to not
include the sha246sum.exe on the mirrors, and only serve the file
over
On Tue, 2009-11-24 at 13:06 -0500, Todd Zullinger wrote:
I believe that providing a sha256sum.exe via https://fp.o/ is surely
an improvement over Download the .iso and hope it works or check it
with some third-party checksum tool that we can't even hope to
verify.
I agree, I just wanted to
Jesse Keating wrote:
I agree, I just wanted to point out the catch-22.
Heh. I'm sorry if I came off a bit defensive. :)
--
ToddOpenPGP - KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~
The most overlooked advantage
Jesse Keating wrote:
Well, if you have to use a tool from the project, to verify other bits
from the project, the verification just became a lot less trusted. If
you don't trust the bits you got from the project, why would you trust
the tool the project gives you to verify the bits? Here use
Allen Kistler wrote:
I have the same opinion of signing the page with the hashes. The pages
that list the hashes for F12 are:
https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
https://fedoraproject.org/static/checksums/Fedora-12-x86_64-CHECKSUM
They are PGP-signed using
On Tue, Nov 24, 2009 at 10:33:16 -0500,
Todd Zullinger t...@pobox.com wrote:
What I'm here for is to gather ideas for how to properly go about
building the mingw32-sha256sum and keeping it around so that when I
extract the sha256sum.exe and upload it to fedoraproject.org we will
have the
11 matches
Mail list logo
