[Nut-upsdev] [nut-commits] svn commit r2832 - in trunk/docs: . website

Arnaud Quette aquette.dev at gmail.com
Thu Feb 24 15:36:37 UTC 2011


Hi Charles,

2011/2/18 Charles Lepple <clepple at gmail.com>

> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:
>
> Hi John,
>
> 2011/1/17 John Bayly
>
>> On 14/01/2011 20:40, Arnaud Quette wrote:
>>
>>> Author: aquette
>>> Date: Fri Jan 14 20:40:06 2011
>>> New Revision: 2832
>>> URL: http://trac.networkupstools.org/projects/nut/changeset/2832
>>>
>>> +link:
>>> http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]
>>>
>> May I suggest that you also provide checksums for the tarball? I'm
>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As it's been
>> downloaded from the NUT website, I know the odds of the source being tainted
>> are astronomical, but if it's for a distribution, I thought I'd be extra
>> cautious.
>> As it is I've verified the GPG sig (never used it before) and used the
>> computed SHA sum.
>>
>
> I've added a SHA256 hash, and referenced it in the download section:
> http://www.networkupstools.org/download.html
>
> I've not yet updated the documentation, but it's simple as downloading the
> nut archive and the matching .sha256 file. Then using:
> $ sha256sum -c nut-2.6.0.tar.gz.sha256
>
>
> Arnaud,
>
> I go through a similar set of steps for Fink packages. If there is a GPG
> signature, I'll verify that, since it provides a little more chain-of-trust
> information. However, if I am just downloading a single file, it is
> typically easier to just verify the hash by inspection - that is, with the
> SHA256 on the web page rather than a separate file download.
>
> Also, there is a bit more of an audit trail if the hash is in our web pages
> in SVN.
>

I may be too far away, in other consideration...
but, are you saying that it would be better to embed the SHA256 hash
directly on the web page, or simply that searching for this file may be too
hard for the user?

for the former, the web page always need a modification for new publication
(svn commit then push on www.n.o). So changing the stable release name, and
at the same time adding the hash would not be a problem.

for the latter, the file is named <release-file>.sha256, so for example
nut-2.6.0.tar.gz.sha256, which allows checking automation.

Or did I got you wrong?

cheers,
Arnaud
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110224/1ecf3723/attachment.htm>


More information about the Nut-upsdev mailing list