Re: [Repo-criteria-discuss] File checksums and signatures

[Mike Gerwitz]

On Sun, Mar 13, 2016 at 19:15:52 +0300, address@hidden wrote:
> Is not it will be useful to recommend at least having SHA256/whatever
> checksums or hashes on downloads page? It could be convenient not only
> to the users (to be able to verify the file not only against the
> web-page contents, but also against mailing list announcement letter
> containing checksums too), but also for maintainers to compare contents
> and identicalness of various download sources without actual data
> retrieving.

I consider distribution separate from repository hosting.  The two are
unfortunately often mixed---e.g. linking to a zip/tar of a specific tag
or commit---but they're very different processes.  For example, for
building GNU software, you should run `make dist` and distribute the
resulting tarball alongside a GPG signature.  This is what you find on
ftp.gnu.org, and with release announcements.

Repository hosting has separate issues.  I encourage you in these cases
to sign the commits.  I have a (now-outdated) article here:

  https://mikegerwitz.com/papers/git-horror-story

and a detailed reply of mine to Whonix developer Patrick Schleizer about
Git's cryptographic assurances here:

  
https://web.archive.org/web/20150619232904/https://www.whonix.org/forum/index.php?topic=538.msg4278#msg4278

So, in the end, I don't think it's necessary for repository hosts to
provide guarantees like this, _unless_ they allow the user to publish
distribution archives, in which case it'd be irresponsible not to.

GNU projects (for which these criteria are defined) use ftp.gnu.org, not
a hosting site.

-- 
Mike Gerwitz
Free Software Hacker | GNU Maintainer
https://mikegerwitz.com
FSF Member #5804 | GPG Key ID: 0x8EE30EAB

signature.asc
Description: PGP signature