[Nut-upsdev] [nut-commits] svn commit r2832 - in trunk/docs: . website

Arnaud Quette aquette.dev at gmail.com
Tue Mar 1 15:20:26 UTC 2011


2011/3/1 John Bayly <freebsd.ports at tipstrade.net>

>  On 25/02/2011 20:35, Arnaud Quette wrote:
>
> Hey Charles,
>
> 2011/2/25 Charles Lepple <clepple at gmail.com>
>
>>  On Fri, Feb 25, 2011 at 3:21 AM, Arnaud Quette <aquette.dev at gmail.com>
>> wrote:
>> >
>> >
>> > 2011/2/25 Charles Lepple <clepple at gmail.com>
>> >>
>> >> On Thu, Feb 24, 2011 at 10:36 AM, Arnaud Quette <aquette.dev at gmail.com
>> >
>> >> wrote:
>> >> > Hi Charles,
>> >> >
>> >> > 2011/2/18 Charles Lepple <clepple at gmail.com>
>> >> >>
>> >> >> On Feb 17, 2011, at 8:41 AM, Arnaud Quette wrote:
>> >> >>
>> >> >> Hi John,
>> >> >>
>> >> >> 2011/1/17 John Bayly
>> >> >>>
>> >> >>> On 14/01/2011 20:40, Arnaud Quette wrote:
>> >> >>>>
>> >> >>>> Author: aquette
>> >> >>>> Date: Fri Jan 14 20:40:06 2011
>> >> >>>> New Revision: 2832
>> >> >>>> URL: http://trac.networkupstools.org/projects/nut/changeset/2832
>> >> >>>>
>> >> >>>>
>> >> >>>>
>> >> >>>> +link:
>> http://www.networkupstools.org/source/2.6/nut-2.6.0.tar.gz.sig[signature]
>> >> >>>
>> >> >>> May I suggest that you also provide checksums for the tarball? I'm
>> >> >>> updating the FreeBSD port, and wanted to verify the SHA256 sum. As
>> >> >>> it's been
>> >> >>> downloaded from the NUT website, I know the odds of the source
>> being
>> >> >>> tainted
>> >> >>> are astronomical, but if it's for a distribution, I thought I'd be
>> >> >>> extra
>> >> >>> cautious.
>> >> >>> As it is I've verified the GPG sig (never used it before) and used
>> the
>> >> >>> computed SHA sum.
>> >> >>
>> >> >> I've added a SHA256 hash, and referenced it in the download section:
>> >> >> http://www.networkupstools.org/download.html
>> >> >>
>> >> >> I've not yet updated the documentation, but it's simple as
>> downloading
>> >> >> the
>> >> >> nut archive and the matching .sha256 file. Then using:
>> >> >> $ sha256sum -c nut-2.6.0.tar.gz.sha256
>> >> >>
>> >> >> Arnaud,
>> >> >> I go through a similar set of steps for Fink packages. If there is a
>> >> >> GPG
>> >> >> signature, I'll verify that, since it provides a little more
>> >> >> chain-of-trust
>> >> >> information. However, if I am just downloading a single file, it is
>> >> >> typically easier to just verify the hash by inspection - that is,
>> with
>> >> >> the
>> >> >> SHA256 on the web page rather than a separate file download.
>> >> >> Also, there is a bit more of an audit trail if the hash is in our
>> web
>> >> >> pages in SVN.
>> >> >
>> >> > I may be too far away, in other consideration...
>> >> > but, are you saying that it would be better to embed the SHA256 hash
>> >> > directly on the web page, or simply that searching for this file may
>> be
>> >> > too
>> >> > hard for the user?
>> >> >
>> >> > for the former, the web page always need a modification for new
>> >> > publication
>> >> > (svn commit then push on www.n.o). So changing the stable release
>> name,
>> >> > and
>> >> > at the same time adding the hash would not be a problem.
>> >>
>> >> I like this because there is a history of the hashes in SVN. The
>> >> .sha256 file is not version controlled.
>> >
>> > nor the root file it's hashing...
>> >
>> >>
>> >> > for the latter, the file is named <release-file>.sha256, so for
>> example
>> >> > nut-2.6.0.tar.gz.sha256, which allows checking automation.
>> >>
>> >> I guess I'm not sure I see the advantage of putting it in a separate
>> file.
>> >
>> > I see no problem.
>> > can you please do the mod?
>> >
>> > cheers,
>> > Arnaud
>>
>>  Committed as r2910.
>>
>
> thanks, I've just 'moved it to prod'.
>
> note that I will however leave the .sha256 file available in the sources/
> dir, and will distribute future files too.
> Documentation will be using it (ie 'sha256sum -c nut-X.Y.Z.tar.gz.sh256')
> since I personally find it more convenient, and automatable.
>
> cheers,
> Arnaud
>
>  Just realised that you added the checksum a while ago. Thanks for that.
>

welcome, we kept you cc'ed for that ;-)
btw, any comment on the .sha256 file Vs. hash inside the HTML page?

cheers,
Arnaud
-- 
Linux / Unix Expert R&D - Eaton - http://powerquality.eaton.com
Network UPS Tools (NUT) Project Leader - http://www.networkupstools.org/
Debian Developer - http://www.debian.org
Free Software Developer - http://arnaud.quette.free.fr/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/nut-upsdev/attachments/20110301/2ad8756a/attachment-0001.htm>


More information about the Nut-upsdev mailing list