diffutils-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: diffutils-3.9 released [stable]


From: Jim Meyering
Subject: Re: diffutils-3.9 released [stable]
Date: Tue, 31 Jan 2023 18:33:45 -0800

On Thu, Jan 19, 2023 at 2:42 PM Bob Proulx <bob@proulx.com> wrote:
> Jim Meyering wrote:
> > Note that the announcement does include a standard SHA1 checksum.
> > Given we're providing multiple ways to verify integrity, I'm not
> > losing sleep over this.
>
> The inclusion of a standard SHA1 checksum was good.  That verified
> with no trouble.
>
> The problem actually started back in 2021 with the automake release
> announcement.
>
>     
> https://lists.gnu.org/archive/html/autotools-announce/2021-10/msg00000.html
>
> I was in a discussion and asked how to verify the checksums in that
> message.  Because in that message both checksums are base64 encoded.
>
>     Here are the compressed sources:
>       https://ftp.gnu.org/gnu/automake/automake-1.16.5.tar.xz (1.6MB)
>       https://ftp.gnu.org/gnu/automake/automake-1.16.5.tar.gz (2.3MB)
>     ...
>     Here are the SHA1 and SHA256 checksums:
>
>     8B1YzW2dd/vcqetLvV6tGYgij9tz1veiAfX41rEYtGk  automake-1.16.5.tar.xz
>     B70krQimS8FyUM4J7FbpIdY0OQOUPpnM9ju/BwXjRgU  automake-1.16.5.tar.gz
>
>     Each SHA256 checksum is base64 encoded, instead of the
>     hexadecimal encoding that most checksum tools default to.
>
> I was looking at how to do it for that package when diffutils released
> and had a slightly different format with SHA1 normal but SHA256 base64
> encoded.  And since the diffutils announcement was current of course I
> decided to jump in here while the paint was still drying and before
> weeds could grow between the cracks of the pavement.
>
> > > Simple is better!
> >
> > Hi Bob, I lean that way, too, and in fact think I did make many
> > releases with signatures only and no checksum, but some people much
> > prefer checksums, and the desire to provide a robust hash with a
> > compact representation is what led to the current state.
>
> Published checksums are good!  But only if people can actually use
> them for verification.  Let's not go out of our way to make this too
> hard for people to actually do.
>
> > Sadly, nothing about gpg signature verification is simple these days,
> > with keyserver problems everywhere.
>
> There are some issues with gpg verification, sadly.
>
> > For now, I'm stubbornly waiting for an improved cksum :-)

Note that openbsd's cksum supports -b for base64 digests:
https://man.openbsd.org/cksum

I have just added support to coreutils' cksum:
https://git.sv.gnu.org/cgit/coreutils.git/commit/?id=v9.1-137-gb319685c6

With that, I'll soon revisit the format used in announcements, at
least to add any padding "=" bytes.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]