Hello,
Finally, the Free Pascal 3.0.4 release is available from our FTP servers. Changes that may break backwards compatibility will be documented at: http://wiki.freepascal.org/User_Changes_3_0_4 For Downloads, please use the FTP server at ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ and sourceforge https://sourceforge.net/projects/freepascal/files/ as much possible. Enjoy! The Free Pascal Compiler Team Free Pascal Compiler Version 3.0.4 ****************************************************************************** What's New in 3.0.4 ****************************************************************************** Free Pascal 3.0.4 is a point release of the 3.0.x fixes branch. Please also see http://wiki.freepascal.org/User_Changes_3.0.4 for a list of changes that may affect the behaviour of previously working code, and how to cope with these changes. Some highlights are: Packages: * fcl-pdf updates * fcl-passrc updates. * fix traceback on ELF based systems See http://bugs.freepascal.org/changelog_page.php for the list of reported bugs which have been fixed in this release. _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote: > Hello, > > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 > > For Downloads, please use the FTP server at > > ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ This gives: 500 /pub/fpc/dist/3.0.4: No such file or directory Mattias _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Marco van de Voort
On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote: > Hello, > > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 That should be http://wiki.freepascal.org/User_Changes_3.0.4 Mattias _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Marco van de Voort
On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote: >[...] > and sourceforge > > https://sourceforge.net/projects/freepascal/files/ This https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/ contains a fpc 3.0.5 as well. Is this on purpose? Mattias _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Marco van de Voort
Hi,
On Thu, 30 Nov 2017, Marco van de Voort wrote: > For Downloads, please use the FTP server at > > ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ Not sure why Marco decided to redirect everything to the stack.nl mirror as primary source in his announcement, but everything should be on ftpmaster, so: ftp://ftp.freepascal.org/pub/fpc/dist/3.0.4/ Or the right mirror URL for the stack.nl mirror is: ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/ Charlie _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Mattias Gaertner
In our previous episode, Mattias Gaertner said:
> > and sourceforge > > > > https://sourceforge.net/projects/freepascal/files/ > > This > https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/ > contains a fpc 3.0.5 as well. > > Is this on purpose? Yes, ios comes from a special branch because of aarch64, and the increased number reflects that, it also was that way with 3.0.2 (3.0.3) See e.g. https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.2 That's all what I know about it though, I haven't followed Apple targets in recent years. _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Mattias Gaertner
In our previous episode, Mattias Gaertner said:
> > Finally, the Free Pascal 3.0.4 release is available from our FTP servers. > > > > Changes that may break backwards compatibility will be documented at: > > http://wiki.freepascal.org/User_Changes_3_0_4 > > That should be > http://wiki.freepascal.org/User_Changes_3.0.4 Thanks, I added a redirect, so the old now also works. Probably bungled it because of svn tags are encodeded that way. _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Marco van de Voort
Thanks for the release in progress!
How can I verify those downloads with shasum or gpg fingerprints)? (FTP and HTTP seem not to be the safest ways these days.) > Changes that may break backwards compatibility will be documented at: > http://wiki.freepascal.org/User_Changes_3_0_4 "T.B.D." > For Downloads, please use the FTP server at > ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/ It's at ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/ > https://sourceforge.net/projects/freepascal/files/ Please also update https://sourceforge.net/projects/freepascal/files/readme.txt/download _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In our previous episode, kardan said:
> How can I verify those downloads with shasum or gpg fingerprints)? (FTP > and HTTP seem not to be the safest ways these days.) > > > Changes that may break backwards compatibility will be documented at: > > http://wiki.freepascal.org/User_Changes_3_0_4 > > "T.B.D." Already fixed, redirected to 3.0.4. > > readme at > > https://sourceforge.net/projects/freepascal/files/ Done _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by kardan
Le 30/11/2017 à 13:00, kardan a écrit : > Thanks for the release in progress! > Please also update > https://sourceforge.net/projects/freepascal/files/readme.txt/download I did this a few minutes ago. But I am not sure all releases available on ftp are also available on SourceForge... Pierre _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In our previous episode, Pierre Muller said:
> > Thanks for the release in progress! > > Please also update > > https://sourceforge.net/projects/freepascal/files/readme.txt/download > > I did this a few minutes ago. > > But I am not sure all releases available on ftp are also available on SourceForge... Like? _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by kardan
Wow, both of you managed to avoid my actual question. :)
On Thu, 30 Nov 2017 13:00:07 +0100 kardan <[hidden email]> wrote: > How can I verify those downloads with shasum or gpg fingerprints)? > (FTP and HTTP seem not to be the safest ways these days.) Kardan _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On Thu, November 30, 2017 15:32, kardan wrote:
> Wow, both of you managed to avoid my actual question. :) > > On Thu, 30 Nov 2017 13:00:07 +0100 > kardan <[hidden email]> wrote: > >> How can I verify those downloads with shasum or gpg fingerprints)? >> (FTP and HTTP seem not to be the safest ways these days.) Sourceforge provides HTTPS access, that should be safe enough. Apart from that - no, checksums are not being created as part of the release process at the moment. Tomas _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On 2017-11-30 14:47, Tomas Hajny wrote:
> Sourceforge provides HTTPS access, that should be safe enough. Apart from > that - no, checksums are not being created as part of the release process > at the moment. > > Tomas That really should be fixed. As someone that has many many releases is my years, in is hardly any effort creating such checksums - and can be easily scripted. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On Thu, November 30, 2017 22:46, Graeme Geldenhuys wrote:
> On 2017-11-30 14:47, Tomas Hajny wrote: >> Sourceforge provides HTTPS access, that should be safe enough. Apart >> from >> that - no, checksums are not being created as part of the release >> process >> at the moment. >> >> Tomas > > That really should be fixed. As someone that has many many releases is > my years, in is hardly any effort creating such checksums - and can be > easily scripted. Checksums may indeed be created / calculated rather easily. However, that is not enough. The checksums must get to the end user in secured way as well, otherwise it makes no sense. What is the appropriate mechanism for that from your point of view? Just listing on our WWW pages (since these may be accessed via HTTPS to avoid modification on the way) and copying the checksum to the WWW pages with links (somewhat time-consuming, unfortunately, due to many download pages and many files - I guess that we may provide you with a possibility to do this for the next release if you like ;-) )? Or having a signed (how - which trusted signature source?) checksum file accompanying each and every released file (cluttering the release directories considerably)? Or? Tomas _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On 2017-11-30 22:26, Tomas Hajny wrote:
> Checksums may indeed be created / calculated rather easily. However, that > is not enough. The checksums must get to the end user in secured way as > well, otherwise it makes no sense. As the saying goes... Take a page from the playbook of FreeBSD or any Linux distro for that matter. http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ or http://www.mirrorservice.org/sites/releases.ubuntu.com/17.10/ In summary, a single CHECKSUM file listing each file and its related checksum. This is a standard layout that many tools can handle and can be used to verify many files in one go. There are tools that can generate these complete files too. On a side note: MD5 and SHA1 is loosing popularity (but still better than nothing). SHA256 or SHA512 should now be the norm. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote:
> On 2017-11-30 22:26, Tomas Hajny wrote: >> Checksums may indeed be created / calculated rather easily. However, >> that >> is not enough. The checksums must get to the end user in secured way as >> well, otherwise it makes no sense. > > > As the saying goes... Take a page from the playbook of FreeBSD or any > Linux distro for that matter. > > http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ . Sorry, I know that this is being done, but I don't see how is that more secure than just downloading the file via HTTPS. As long as the checksums are not signed, they may be tampered with (or not) the same way as the original files. Obviously, there are more secure mechanisms (let's take Debian packages with their signatures as an example), but these require more overhead (especially with different release makers for different targets) and still end up with requiring some root trusted element at the beginning (which usually needs to be downloaded via the same mechanisms as the installation files in the end which implies that it's still as secure as the download channel used for getting the files). Tomas _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
On 2017-11-30 23:35, Tomas Hajny wrote:
> Sorry, I know that this is being done, but I don't see how is that more > secure than just downloading the file via HTTPS. Not all files are downloaded via a secure protocol like HTTPS. That's true for FreeBSD, Linux and I would guess even for Free Pascal's releases (main site and whatever mirrors are available). I also prefer FTP over HTTP(S) for downloading ISO's or large files - thus an untrusted connection, but fast. I'd rather have some checksum than nothing - simply for verifying that my download is not corrupt in any way. Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Tomas Hajny-2
On 2017-11-30 23:35, Tomas Hajny wrote:
> Obviously, there are more secure mechanisms (let's take > Debian packages with their signatures as an example), but these require > more overhead (especially with different release makers for different Not every release maker needs to create there own checksums. Only one person needs to do a checksum against all release files in a directory (at the end of the release builds). You then have a CHECKSUM file listing all release files. If you want to be extra paranoid, then yes, use GnuPG and sign that file. Again, you only need one GnuPG key used by all Free Pascal releases. Creating the GnuPG key is a once off task. Generating the summary checksum file and signing it can all be scripted (probably in the same script that uploads all the release files to the server). Regards, Graeme -- fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal http://fpgui.sourceforge.net/ My public PGP key: http://tinyurl.com/graeme-pgp _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
In reply to this post by Tomas Hajny-2
On Thu, 30 Nov 2017 23:26:31 +0100
"Tomas Hajny" <[hidden email]> wrote: > Checksums may indeed be created / calculated rather easily. However, > that is not enough. The checksums must get to the end user in secured > way as well, otherwise it makes no sense. What is the appropriate > mechanism for that from your point of view? Just listing on our WWW > pages (since these may be accessed via HTTPS to avoid modification on > the way) and copying the checksum to the WWW pages with links > (somewhat time-consuming, unfortunately, due to many download pages > and many files - I guess that we may provide you with a possibility > to do this for the next release if you like ;-) )? Or having a signed > (how - which trusted signature source?) checksum file accompanying > each and every released file (cluttering the release directories > considerably)? Or? This is part of one of my install scripts for latest vagrant: VAGRANT_DEB=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_i686.deb VAGRANT_SUMS=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_SHA256SUMS until [ \ "$(sha256sum vagrant_2.0.1_i686.deb)" = \ "$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ] do wget -c $VAGRANT_DEB; done sudo dpkg -i $(basename $VAGRANT_DEB) Wikipedia provides gpg signatures for each release file: gpg --recv-keys 9D3BB7B0 URL=https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz wget $URL{,.sig} gpg --verify $(basename $URL).sig Riseup.net takes it one step further and sign important statements and certificates: https://riseup.net/en/canary https://riseup.net/en/security/network-security/riseup-ca In your case it would be probably enough to sha256sum $FILES > SHA256SUMS.txt gpg --sign SHA256SUMS.txt Thanks! Kardan _______________________________________________ fpc-pascal maillist - [hidden email] http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal |
Free forum by Nabble | Edit this page |