<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
On 01/03/2011 15:20, Arnaud Quette wrote:
<blockquote
cite="mid:AANLkTimoZ3R0fATaM724suM6asXYrr+xEcjHbiXXT2Ww@mail.gmail.com"
type="cite"><br>
<br>
<div class="gmail_quote">2011/3/1 John Bayly <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:freebsd.ports@tipstrade.net">freebsd.ports@tipstrade.net</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>
<div class="h5"> On 25/02/2011 20:35, Arnaud Quette wrote:
<blockquote type="cite">Hey Charles,<br>
<br>
<div class="gmail_quote">2011/2/25 Charles Lepple <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:clepple@gmail.com" target="_blank">clepple@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin: 0pt
0pt 0pt 0.8ex; border-left: 1px solid rgb(204,
204, 204); padding-left: 1ex;">
<div>
<div>On Fri, Feb 25, 2011 at 3:21 AM, Arnaud
Quette <<a moz-do-not-send="true"
href="mailto:aquette.dev@gmail.com"
target="_blank">aquette.dev@gmail.com</a>>
wrote:<br>
><br>
><br>
> 2011/2/25 Charles Lepple <<a
moz-do-not-send="true"
href="mailto:clepple@gmail.com"
target="_blank">clepple@gmail.com</a>><br>
>><br>
>> On Thu, Feb 24, 2011 at 10:36 AM,
Arnaud Quette <<a moz-do-not-send="true"
href="mailto:aquette.dev@gmail.com"
target="_blank">aquette.dev@gmail.com</a>><br>
>> wrote:<br>
>> > Hi Charles,<br>
>> ><br>
>> > 2011/2/18 Charles Lepple <<a
moz-do-not-send="true"
href="mailto:clepple@gmail.com"
target="_blank">clepple@gmail.com</a>><br>
>> >><br>
>> >> On Feb 17, 2011, at 8:41 AM,
Arnaud Quette wrote:<br>
>> >><br>
>> >> Hi John,<br>
>> >><br>
>> >> 2011/1/17 John Bayly<br>
>> >>><br>
>> >>> On 14/01/2011 20:40,
Arnaud Quette wrote:<br>
>> >>>><br>
>> >>>> Author: aquette<br>
>> >>>> Date: Fri Jan 14
20:40:06 2011<br>
>> >>>> New Revision: 2832<br>
>> >>>> URL: <a
moz-do-not-send="true"
href="http://trac.networkupstools.org/projects/nut/changeset/2832"
target="_blank">http://trac.networkupstools.org/projects/nut/changeset/2832</a><br>
>> >>>><br>
>> >>>><br>
>> >>>><br>
>> >>>> +link:<a
moz-do-not-send="true"
href="http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig%5Bsignature%5D"
target="_blank">http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]</a><br>
>> >>><br>
>> >>> May I suggest that you
also provide checksums for the tarball? I'm<br>
>> >>> updating the FreeBSD
port, and wanted to verify the SHA256 sum. As<br>
>> >>> it's been<br>
>> >>> downloaded from the NUT
website, I know the odds of the source being<br>
>> >>> tainted<br>
>> >>> are astronomical, but if
it's for a distribution, I thought I'd be<br>
>> >>> extra<br>
>> >>> cautious.<br>
>> >>> As it is I've verified
the GPG sig (never used it before) and used
the<br>
>> >>> computed SHA sum.<br>
>> >><br>
>> >> I've added a SHA256 hash,
and referenced it in the download section:<br>
>> >> <tt><a
moz-do-not-send="true"
href="http://www.networkupstools.org/download.html"
target="_blank">http://www.networkupstools.org/download.html</a></tt><br>
>> >><br>
>> >> I've not yet uphdated the
documentation, but it's simple as downloading<br>
>> >> te<br>
>> >> nut archive and the matching
.sha256 file. Then using:<br>
>> >> $ sha256sum -c
nut-2.6.0.tar.gz.sha256<br>
>> >><br>
>> >> Arnaud,<br>
>> >> I go through a similar set
of steps for Fink packages. If there is a<br>
>> >> GPG<br>
>> >> signature, I'll verify that,
since it provides a little more<br>
>> >> chain-of-trust<br>
>> >> information. However, if I
am just downloading a single file, it is<br>
>> >> typically easier to just
verify the hash by inspection - that is, with<br>
>> >> the<br>
>> >> SHA256 on the web page
rather than a separate file download.<br>
>> >> Also, there is a bit more of
an audit trail if the hash is in our web<br>
>> >> pages in SVN.<br>
>> ><br>
>> > I may be too far away, in other
consideration...<br>
>> > but, are you saying that it
would be better to embed the SHA256 hash<br>
>> > directly on the web page, or
simply that searching for this file may be<br>
>> > too<br>
>> > hard for the user?<br>
>> ><br>
>> > for the former, the web page
always need a modification for new<br>
>> > publication<br>
>> > (svn commit then push on <a
moz-do-not-send="true" href="http://www.n.o"
target="_blank">www.n.o</a>). So changing
the stable release name,<br>
>> > and<br>
>> > at the same time adding the hash
would not be a problem.<br>
>><br>
>> I like this because there is a
history of the hashes in SVN. The<br>
>> .sha256 file is not version
controlled.<br>
><br>
> nor the root file it's hashing...<br>
><br>
>><br>
>> > for the latter, the file is
named <release-file>.sha256, so for
example<br>
>> > nut-2.6.0.tar.gz.sha256, which
allows checking automation.<br>
>><br>
>> I guess I'm not sure I see the
advantage of putting it in a separate file.<br>
><br>
> I see no problem.<br>
> can you please do the mod?<br>
><br>
> cheers,<br>
> Arnaud<br>
<br>
</div>
</div>
Committed as r2910.<br>
</blockquote>
</div>
<br>
thanks, I've just 'moved it to prod'.<br clear="all">
<br>
note that I will however leave the .sha256 file
available in the sources/ dir, and will distribute
future files too. <br>
Documentation will be using it (ie 'sha256sum -c
nut-X.Y.Z.tar.gz.sh256') since I personally find it
more convenient, and <span lang="en"><span
title="Cliquer ici pour voir d'autres traductions">automatable</span></span>.<br>
<br>
cheers,<br>
Arnaud<br>
<br>
</blockquote>
</div>
</div>
Just realised that you added the checksum a while ago.
Thanks for that.<br>
</div>
</blockquote>
</div>
<br>
welcome, we kept you cc'ed for that ;-)<br clear="all">
btw, any comment on the .sha256 file Vs. hash inside the HTML
page?<br>
<br>
cheers,<br>
Arnaud<br>
-- <br>
Linux / Unix Expert R&D - Eaton - <a moz-do-not-send="true"
href="http://powerquality.eaton.com" target="_blank">http://powerquality.eaton.com</a><br>
Network UPS Tools (NUT) Project Leader - <a
moz-do-not-send="true" href="http://www.networkupstools.org/"
target="_blank">http://www.networkupstools.org/</a><br>
Debian Developer - <a moz-do-not-send="true"
href="http://www.debian.org" target="_blank">http://www.debian.org</a><br>
Free Software Developer - <a moz-do-not-send="true"
href="http://arnaud.quette.free.fr/" target="_blank">http://arnaud.quette.free.fr/</a><br>
<br>
</blockquote>
I was getting them, but have been fairly manic recently so this is
the first time I managed to check.<br>
<br>
As for the file vs. inside HTML, if it's an either-or choice, I'd go
with the file as (as you say) it's more scriptable. I suppose I'm
more used to checksums rather than GPG signatures as it's how
FreeBSD verifies ports (I had to install the gnupg port just to
verify the signature :-)<br>
Personally though, I think the more options the better, I can't see
any disadvantage with both options.<br>
<br>
Cheers,<br>
John<br>
</body>
</html>