[Nut-upsdev] [nut-commits] svn commit r2832 - in trunk/docs: . website

Charles Lepple clepple at gmail.com
Fri Feb 18 02:29:18 UTC 2011

On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:

> Hi John,
> 2011/1/17 John Bayly
> On 14/01/2011 20:40, Arnaud Quette wrote:
> Author: aquette
> Date: Fri Jan 14 20:40:06 2011
> New Revision: 2832
> URL: http://trac.networkupstools.org/projects/nut/changeset/2832
> +link:http://www.networkupstools.org/source/2.6/ 
> nut-2.6.0.tar.gz.sig[signature]
> May I suggest that you also provide checksums for the tarball? I'm  
> updating the FreeBSD port, and wanted to verify the SHA256 sum. As  
> it's been downloaded from the NUT website, I know the odds of the  
> source being tainted are astronomical, but if it's for a  
> distribution, I thought I'd be extra cautious.
> As it is I've verified the GPG sig (never used it before) and used  
> the computed SHA sum.
> I've added a SHA256 hash, and referenced it in the download section:
> http://www.networkupstools.org/download.html
> I've not yet updated the documentation, but it's simple as  
> downloading the nut archive and the matching .sha256 file. Then using:
> $ sha256sum -c nut-2.6.0.tar.gz.sha256


I go through a similar set of steps for Fink packages. If there is a  
GPG signature, I'll verify that, since it provides a little more chain- 
of-trust information. However, if I am just downloading a single file,  
it is typically easier to just verify the hash by inspection - that  
is, with the SHA256 on the web page rather than a separate file  

Also, there is a bit more of an audit trail if the hash is in our web  
pages in SVN.

Just my $0.02.

- Charles
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110217/9fea00dd/attachment.htm>

More information about the Nut-upsdev mailing list