|
|
123
|
|
Hi,
On Thu, 30 Nov 2017, Marco van de Voort wrote:
> For Downloads, please use the FTP server at
>
> ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/
Not sure why Marco decided to redirect everything to the stack.nl mirror
as primary source in his announcement, but everything should be on
ftpmaster, so:
ftp://ftp.freepascal.org/pub/fpc/dist/3.0.4/
Or the right mirror URL for the stack.nl mirror is:
ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/
Charlie
_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On Thu, November 30, 2017 15:32, kardan wrote:
> Wow, both of you managed to avoid my actual question. :)
>
> On Thu, 30 Nov 2017 13:00:07 +0100
> kardan < [hidden email]> wrote:
>
>> How can I verify those downloads with shasum or gpg fingerprints)?
>> (FTP and HTTP seem not to be the safest ways these days.)
Sourceforge provides HTTPS access, that should be safe enough. Apart from
that - no, checksums are not being created as part of the release process
at the moment.
Tomas
_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On 2017-11-30 14:47, Tomas Hajny wrote:
> Sourceforge provides HTTPS access, that should be safe enough. Apart from
> that - no, checksums are not being created as part of the release process
> at the moment.
>
> Tomas
That really should be fixed. As someone that has many many releases is
my years, in is hardly any effort creating such checksums - and can be
easily scripted.
Regards,
Graeme
--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/My public PGP key: http://tinyurl.com/graeme-pgp_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On Thu, November 30, 2017 22:46, Graeme Geldenhuys wrote:
> On 2017-11-30 14:47, Tomas Hajny wrote:
>> Sourceforge provides HTTPS access, that should be safe enough. Apart
>> from
>> that - no, checksums are not being created as part of the release
>> process
>> at the moment.
>>
>> Tomas
>
> That really should be fixed. As someone that has many many releases is
> my years, in is hardly any effort creating such checksums - and can be
> easily scripted.
Checksums may indeed be created / calculated rather easily. However, that
is not enough. The checksums must get to the end user in secured way as
well, otherwise it makes no sense. What is the appropriate mechanism for
that from your point of view? Just listing on our WWW pages (since these
may be accessed via HTTPS to avoid modification on the way) and copying
the checksum to the WWW pages with links (somewhat time-consuming,
unfortunately, due to many download pages and many files - I guess that we
may provide you with a possibility to do this for the next release if you
like ;-) )? Or having a signed (how - which trusted signature source?)
checksum file accompanying each and every released file (cluttering the
release directories considerably)? Or?
Tomas
_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote:
> On 2017-11-30 22:26, Tomas Hajny wrote:
>> Checksums may indeed be created / calculated rather easily. However,
>> that
>> is not enough. The checksums must get to the end user in secured way as
>> well, otherwise it makes no sense.
>
>
> As the saying goes... Take a page from the playbook of FreeBSD or any
> Linux distro for that matter.
>
> http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/ .
.
Sorry, I know that this is being done, but I don't see how is that more
secure than just downloading the file via HTTPS. As long as the checksums
are not signed, they may be tampered with (or not) the same way as the
original files. Obviously, there are more secure mechanisms (let's take
Debian packages with their signatures as an example), but these require
more overhead (especially with different release makers for different
targets) and still end up with requiring some root trusted element at the
beginning (which usually needs to be downloaded via the same mechanisms as
the installation files in the end which implies that it's still as secure
as the download channel used for getting the files).
Tomas
_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On 2017-11-30 23:35, Tomas Hajny wrote:
> Sorry, I know that this is being done, but I don't see how is that more
> secure than just downloading the file via HTTPS.
Not all files are downloaded via a secure protocol like HTTPS. That's
true for FreeBSD, Linux and I would guess even for Free Pascal's
releases (main site and whatever mirrors are available).
I also prefer FTP over HTTP(S) for downloading ISO's or large files -
thus an untrusted connection, but fast. I'd rather have some checksum
than nothing - simply for verifying that my download is not corrupt in
any way.
Regards,
Graeme
--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/My public PGP key: http://tinyurl.com/graeme-pgp_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
|
|
On 2017-11-30 23:35, Tomas Hajny wrote:
> Obviously, there are more secure mechanisms (let's take
> Debian packages with their signatures as an example), but these require
> more overhead (especially with different release makers for different
Not every release maker needs to create there own checksums. Only one
person needs to do a checksum against all release files in a directory
(at the end of the release builds). You then have a CHECKSUM file
listing all release files. If you want to be extra paranoid, then yes,
use GnuPG and sign that file. Again, you only need one GnuPG key used by
all Free Pascal releases. Creating the GnuPG key is a once off task.
Generating the summary checksum file and signing it can all be scripted
(probably in the same script that uploads all the release files to the
server).
Regards,
Graeme
--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/My public PGP key: http://tinyurl.com/graeme-pgp_______________________________________________
fpc-pascal maillist - [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal
|
123
|
Locked
