[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [be] Verification of release tar balls
From: |
Jonathan Marsden |
Subject: |
Re: [be] Verification of release tar balls |
Date: |
Thu, 23 Sep 2010 10:24:01 -0700 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2 |
Teus,
On 9/23/2010 8:58 AM, Teus Benschop wrote:
> There is currently no way of validating the released tar balls. This
> may be the first time the issue comes up. Whoever wants to set that
> up is welcome.
For this to be useful, the file or web page containing the checksums
needs to be editable ONLY by the person doing the release; putting them
on an editable wiki page is somewhat pointless, because a bad person
could theoretically (a) replace the tarball with an evil variation and
(b) edit the wiki page to match that evil variation! The edit might
show in the wiki page history, but automated checkers cannot read that.
Some projects provide PGP signatures for their release tarballs, instead
of or in addition to checksums; clearly, only the release manager will
have the right private key to do that.
So, I think the "whoever" doing the setting up unfortunately also needs
to be "the person creating the release tarballs". Which in this case is
probably you! No-one else knows for certain what the contents of the
"real, official, original, genuine" release tarballs are (maybe an evil
person edited them seconds after you uploaded them to Savannah, so in
theory everyone else has evilly changed copies!). The file containing
the checksums needs to be published in a way that makes it as difficult
as possible for others to change it.
Generating the checksums for the current set of release tarballs with
md5sum and sha1sum is trivial, anyone can do that, see below; publishing
the results securely is not something that "anyone" could do.
for i in `lynx -dump
http://download.savannah.gnu.org/releases-noredirect/bibledit/source/
|grep gz$ |sed -e 's/^.* //'` ; do wget -c $i ; done
for i in `lynx -dump
http://download.savannah.gnu.org/releases-noredirect/bibledit/source/gtk/ |grep
gz$ |sed -e 's/^.* //'` ; do wget -c $i ; done
md5sum *gz >MD5SUMS
sha1sum *gz >SHA1SUMS
is all it takes. My results are below (do not treat these as
authoritative).
Jonathan
-------------------------------------------------------------------
66d00617f8c0e70ebd0b6a42f3a04a5a bibledit-0.1.tar.gz
86ffe91022b116bed6d3e10755aee0cd bibledit-0.2.tar.gz
45dc0fdc694955df8ba5a8c8a8700871 bibledit-0.4.tar.gz
b592e3bd2e0f4420d33fa382c514aef5 bibledit-0.5.tar.gz
87b155f7cd14cb18f5665ee1c5cab2d8 bibledit-0.6.tar.gz
5c2ac3a315716b7cceb018df14286227 bibledit-0.7.tar.gz
a7daf0db8319f341d31448d82954bb54 bibledit-0.9.tar.gz
666776f1e67d4d8e15e770833c2f0d90 bibledit-1.0.tar.gz
6c62754ad6942b5c0c7ee26109783a13 bibledit-1.3.tar.gz
8339ea6b3c0ddeecae40ba6ce9294071 bibledit-1.4.tar.gz
6f4b761458f5a4d577c2a7ed637fe2d6 bibledit-1.5.tar.gz
a8340f5c81dbf67cc49025716ca0ae6e bibledit-2.0.tar.gz
0d9a962c3359030b3b3357865c273258 bibledit-2.1.tar.gz
b203b0b0d14c54e9a9f3fdbf804f33b3 bibledit-2.2.tar.gz
658dfc8b1d1545836084c0f912cd07ca bibledit-2.4.tar.gz
63161342b7287f07e55970fb2f0dba67 bibledit-2.5.tar.gz
74f1bcc702b23d8332d7c74cd105475c bibledit-2.6.tar.gz
2ebf4b538b07ac0ea9a48b16ff198344 bibledit-2.7.tar.gz
a469f0734ceb74561b8974d3bc209ecd bibledit-2.8.tar.gz
f066651b16b9532a667104f633dbf861 bibledit-2.9.tar.gz
5698d72a4288ebf94ddcf79df2c9964c bibledit-3.0.tar.gz
f7e5d1b413b69feed510d7cf1e00e59e bibledit-3.1.tar.gz
7968d1e72d5a8cc6ef58b570ac892511 bibledit-3.2.tar.gz
e10d4778315c816922a90422bdb188d0 bibledit-3.3.tar.gz
59fe277dc9dd8f5e6370367db777f70b bibledit-3.4.tar.gz
0dbb1b67b10dc6aaa2b645b3c45b85c3 bibledit-3.5.tar.gz
db8200a1927d04b3d74201f4bb5a7d66 bibledit-3.6.tar.gz
60b877da748d42caeda14d62a79cdbc0 bibledit-3.7.tar.gz
6e4acc3abfeefe54f250f76163fc3336 bibledit-3.8.tar.gz
ca654a0f73e9fe930064d171eb4203fd bibledit-3.9.tar.gz
60af1f37c9c5716c61de8dd75f90566a bibledit-4.0.tar.gz
2838907ce1b0ef243a90b7399e750917 bibledit-gtk-4.1.tar.gz
bb6f807c79bd5fb865ff91b70d650712118aa91f bibledit-0.1.tar.gz
a502b32ea4281f457cd5b4f0b1f516d288ca5768 bibledit-0.2.tar.gz
1f8567dfd600d49c85cbc15b6612ad836a50e4e1 bibledit-0.4.tar.gz
2d0b9571b10ff042d9ee83f3223c5fb9eabc543e bibledit-0.5.tar.gz
e1871e9cc324eac7179af5cfb2d3722cd0f37d70 bibledit-0.6.tar.gz
d973af97d1f8d6e81b753de60f469d8cc3a8a427 bibledit-0.7.tar.gz
e3cf05443c9ac0556467743de840eef5ff640464 bibledit-0.9.tar.gz
e153bd6f45a92de4a0519c7ae9cc986e2cdc14bd bibledit-1.0.tar.gz
a6f5c4b2583cb9397f133be71cff33bfb03bdc27 bibledit-1.3.tar.gz
3fa1541c231f9a181cd8e7501eb378cf7ed10a6f bibledit-1.4.tar.gz
8ea8dfc5ab317d78382df83eba6cd3746a244b96 bibledit-1.5.tar.gz
2544907015c5e846897fb620d3d9abcb0b59f6c1 bibledit-2.0.tar.gz
41d9efd6f3df2561be5fc0b953e3f68a47af6e36 bibledit-2.1.tar.gz
f7693f322ebb9e7db1e70739b1079b5af42ab34e bibledit-2.2.tar.gz
c149f9310b2afb5d8bf86f97a1154c4d9a2dfdc0 bibledit-2.4.tar.gz
cda2bf9e76f601619d94bd1fb61c2994c87ae2cd bibledit-2.5.tar.gz
fe82dc00ebe0a454849458db711fc3923a417f17 bibledit-2.6.tar.gz
23ccc4c8e806dd9384fd10fb9b1f5e6e37c584e3 bibledit-2.7.tar.gz
42d03e24e5e041f382cda86189f578788ef78707 bibledit-2.8.tar.gz
d65942d54afe256e0c56683258e1ba4af1040f2d bibledit-2.9.tar.gz
ee690f814e50962f1bff3f8e3ec72d875df79919 bibledit-3.0.tar.gz
1c3f62ab944c14bc0cd4b09f099b91a44b247167 bibledit-3.1.tar.gz
cb40bced065d4104975348f60764c145e66f6c3f bibledit-3.2.tar.gz
7f07bbdd0c3721bc53370b96f2a75c9746680976 bibledit-3.3.tar.gz
04fc9692d05f14fe79264501286aec91f76f1cac bibledit-3.4.tar.gz
f1362feb673c23ae88ae7f00479b5d8320cd95b5 bibledit-3.5.tar.gz
084aacc63a07fab653f916a1054f9b2dd844d968 bibledit-3.6.tar.gz
7708b66825cb8833ce0a6350d76a83c28f17a7d5 bibledit-3.7.tar.gz
6fac00913b0c1924126f2f780fa43c72da80efaa bibledit-3.8.tar.gz
5dbb6935c73843f045f4130a68ce7c8c3fc52f39 bibledit-3.9.tar.gz
52fec9acc006eddc73579a8289da7ee6cea6ea4b bibledit-4.0.tar.gz
eeccaf150bff0f5662d4dce2efdfb503ed9bd6a6 bibledit-gtk-4.1.tar.gz
- [be] Verification of release tar balls, John Marshall, 2010/09/23
- Re: [be] Verification of release tar balls, Teus Benschop, 2010/09/23
- Re: [be] Verification of release tar balls,
Jonathan Marsden <=
- Re: [be] Verification of release tar balls, Teus Benschop, 2010/09/24
- Re: [be] Verification of release tar balls, David Gardner, 2010/09/24
- Re: [be] Verification of release tar balls, Teus Benschop, 2010/09/24
- Re: [be] Verification of release tar balls, Jonathan Marsden, 2010/09/24
- Re: [be] Verification of release tar balls, Teus Benschop, 2010/09/25
- Re: [be] Verification of release tar balls, John Marshall, 2010/09/27
- Re: [be] Verification of release tar balls, Teus Benschop, 2010/09/27
- Re: [be] Verification of release tar balls, John Marshall, 2010/09/27