Re: [Gegl-developer] babl and gegl: SHA{1, 256}SUMS files not updated

From: Øyvind Kolås <pippin gimp org>
To: Chris Clayton <chris2553 googlemail com>
Cc: gegl-developer-list <gegl-developer-list gnome org>
Subject: Re: [Gegl-developer] babl and gegl: SHA{1, 256}SUMS files not updated
Date: Tue, 28 Nov 2017 18:24:48 +0100

On Mon, Nov 27, 2017 at 7:38 AM, Chris Clayton via gegl-developer-list
<gegl-developer-list gnome org> wrote:

Hi

gegl-0.3.24 and babl-0.1.38 have been released recently, but in neither case have the SHA<n>SUMS files been 
regenerated.

Where possible, I like to verify sources before building and installing on my system. I'm sure I'm not 
alone in this.


For downloads directly from https://download.gimp.org/ - these
checksums provide about as much verification as the bz2 compression
itself, if the download is corrupted the unpacking of the archives
would fail, a malicious attacker that hacked into download.gimp.org
would be able to change both the archive and checksums anyways. These
checksum files are most useful for mirrors when mirroring as well as
manual checking of something downloaded from a mirror against
checksums gotten directly from download.gimp.org; and they've been
updated now.

/pippin

References:
- [Gegl-developer] babl and gegl: SHA{1,256}SUMS files not updated
  - From: Chris Clayton

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]