[Nut-upsdev] [nut-commits] svn commit r2832 - in trunk/docs: . website
Charles Lepple
clepple at gmail.com
Fri Feb 18 02:29:18 UTC 2011
On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:
> Hi John,
>
> 2011/1/17 John Bayly
> On 14/01/2011 20:40, Arnaud Quette wrote:
> Author: aquette
> Date: Fri Jan 14 20:40:06 2011
> New Revision: 2832
> URL: http://trac.networkupstools.org/projects/nut/changeset/2832
>
> +link:http://www.networkupstools.org/source/2.6/
> nut-2.6.0.tar.gz.sig[signature]
> May I suggest that you also provide checksums for the tarball? I'm
> updating the FreeBSD port, and wanted to verify the SHA256 sum. As
> it's been downloaded from the NUT website, I know the odds of the
> source being tainted are astronomical, but if it's for a
> distribution, I thought I'd be extra cautious.
> As it is I've verified the GPG sig (never used it before) and used
> the computed SHA sum.
>
> I've added a SHA256 hash, and referenced it in the download section:
> http://www.networkupstools.org/download.html
>
> I've not yet updated the documentation, but it's simple as
> downloading the nut archive and the matching .sha256 file. Then using:
> $ sha256sum -c nut-2.6.0.tar.gz.sha256
Arnaud,
I go through a similar set of steps for Fink packages. If there is a
GPG signature, I'll verify that, since it provides a little more chain-
of-trust information. However, if I am just downloading a single file,
it is typically easier to just verify the hash by inspection - that
is, with the SHA256 on the web page rather than a separate file
download.
Also, there is a bit more of an audit trail if the hash is in our web
pages in SVN.
Just my $0.02.
- Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110217/9fea00dd/attachment.htm>
More information about the Nut-upsdev
mailing list