FPC 3.0.4 released!

Hello,

Finally, the Free Pascal 3.0.4 release is available from our FTP servers.

Changes that may break backwards compatibility will be documented at:
http://wiki.freepascal.org/User_Changes_3_0_4

For Downloads, please use the FTP server at

ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/

and sourceforge

https://sourceforge.net/projects/freepascal/files/

as much possible.

Enjoy!

The Free Pascal Compiler Team


                            Free Pascal Compiler

                                 Version 3.0.4

 ******************************************************************************
                               What's New in 3.0.4
 ******************************************************************************

 Free Pascal 3.0.4 is a point release of the 3.0.x fixes branch.

 Please also see http://wiki.freepascal.org/User_Changes_3.0.4 for a list
 of changes that may affect the behaviour of previously working code, and
 how to cope with these changes.

 Some highlights are:

 Packages:
   * fcl-pdf updates
   * fcl-passrc updates.
   * fix traceback on ELF based systems

 See http://bugs.freepascal.org/changelog_page.php for the list of reported
 bugs which have been fixed in this release.

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote:

This gives:
500 /pub/fpc/dist/3.0.4: No such file or directory

Mattias
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote:

> Hello,
>
> Finally, the Free Pascal 3.0.4 release is available from our FTP servers.
>
> Changes that may break backwards compatibility will be documented at:
> http://wiki.freepascal.org/User_Changes_3_0_4

That should be
http://wiki.freepascal.org/User_Changes_3.0.4

Mattias
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, 30 Nov 2017 11:04:31 +0100 (CET)
[hidden email] (Marco van de Voort) wrote:

>[...]
> and sourceforge
>
> https://sourceforge.net/projects/freepascal/files/

This
https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/
contains a fpc 3.0.5 as well.

Is this on purpose?

Mattias
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Hi,

On Thu, 30 Nov 2017, Marco van de Voort wrote:

> For Downloads, please use the FTP server at
>
> ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/

Not sure why Marco decided to redirect everything to the stack.nl mirror
as primary source in his announcement, but everything should be on
ftpmaster, so:

ftp://ftp.freepascal.org/pub/fpc/dist/3.0.4/

Or the right mirror URL for the stack.nl mirror is:

ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/

Charlie
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

In our previous episode, Mattias Gaertner said:
> > and sourceforge
> >
> > https://sourceforge.net/projects/freepascal/files/
>
> This
> https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.4/
> contains a fpc 3.0.5 as well.
>
> Is this on purpose?

Yes, ios comes from a special branch because of aarch64, and the increased
number reflects that, it also was that way with 3.0.2 (3.0.3)

See e.g. https://sourceforge.net/projects/freepascal/files/Mac%20OS%20X/3.0.2

That's all what I know about it though, I haven't followed Apple targets in
recent years.

_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

In our previous episode, Mattias Gaertner said:
> > Finally, the Free Pascal 3.0.4 release is available from our FTP servers.
> >
> > Changes that may break backwards compatibility will be documented at:
> > http://wiki.freepascal.org/User_Changes_3_0_4
>
> That should be
> http://wiki.freepascal.org/User_Changes_3.0.4

Thanks, I added a redirect, so the old now also works. Probably bungled it
because of svn tags are encodeded that way.
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Thanks for the release in progress!

How can I verify those downloads with shasum or gpg fingerprints)? (FTP
and HTTP seem not to be the safest ways these days.)

> Changes that may break backwards compatibility will be documented at:
> http://wiki.freepascal.org/User_Changes_3_0_4

"T.B.D."

> For Downloads, please use the FTP server at
> ftp://freepascal.stack.nl/pub/fpc/dist/3.0.4/

It's at ftp://freepascal.stack.nl/pub/mirrors/fpc/dist/3.0.4/

> https://sourceforge.net/projects/freepascal/files/

Please also update
https://sourceforge.net/projects/freepascal/files/readme.txt/download
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

In our previous episode, kardan said:
> How can I verify those downloads with shasum or gpg fingerprints)? (FTP
> and HTTP seem not to be the safest ways these days.)
>
> > Changes that may break backwards compatibility will be documented at:
> > http://wiki.freepascal.org/User_Changes_3_0_4
>
> "T.B.D."

Already fixed, redirected to 3.0.4.
 

> > readme at
> > https://sourceforge.net/projects/freepascal/files/

Done
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Le 30/11/2017 à 13:00, kardan a écrit :
> Thanks for the release in progress!
> Please also update
> https://sourceforge.net/projects/freepascal/files/readme.txt/download

  I did this a few minutes ago.

  But I am not sure all releases available on ftp are also available on SourceForge...


Pierre
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

In our previous episode, Pierre Muller said:
> > Thanks for the release in progress!
> > Please also update
> > https://sourceforge.net/projects/freepascal/files/readme.txt/download
>
>   I did this a few minutes ago.
>
>   But I am not sure all releases available on ftp are also available on SourceForge...

Like?
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

Wow, both of you managed to avoid my actual question. :)

On Thu, 30 Nov 2017 13:00:07 +0100
kardan <[hidden email]> wrote:

> How can I verify those downloads with shasum or gpg fingerprints)?
> (FTP and HTTP seem not to be the safest ways these days.)

Kardan
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, November 30, 2017 15:32, kardan wrote:
> Wow, both of you managed to avoid my actual question. :)
>
> On Thu, 30 Nov 2017 13:00:07 +0100
> kardan <[hidden email]> wrote:
>
>> How can I verify those downloads with shasum or gpg fingerprints)?
>> (FTP and HTTP seem not to be the safest ways these days.)

Sourceforge provides HTTPS access, that should be safe enough. Apart from
that - no, checksums are not being created as part of the release process
at the moment.

Tomas


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On 2017-11-30 14:47, Tomas Hajny wrote:
> Sourceforge provides HTTPS access, that should be safe enough. Apart from
> that - no, checksums are not being created as part of the release process
> at the moment.
>
> Tomas

That really should be fixed. As someone that has many many releases is
my years, in is hardly any effort creating such checksums - and can be
easily scripted.


Regards,
   Graeme

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, November 30, 2017 22:46, Graeme Geldenhuys wrote:
Checksums may indeed be created / calculated rather easily. However, that
is not enough. The checksums must get to the end user in secured way as
well, otherwise it makes no sense. What is the appropriate mechanism for
that from your point of view? Just listing on our WWW pages (since these
may be accessed via HTTPS to avoid modification on the way) and copying
the checksum to the WWW pages with links (somewhat time-consuming,
unfortunately, due to many download pages and many files - I guess that we
may provide you with a possibility to do this for the next release if you
like ;-) )? Or having a signed (how - which trusted signature source?)
checksum file accompanying each and every released file (cluttering the
release directories considerably)? Or?

Tomas


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On 2017-11-30 22:26, Tomas Hajny wrote:
> Checksums may indeed be created / calculated rather easily. However, that
> is not enough. The checksums must get to the end user in secured way as
> well, otherwise it makes no sense.


As the saying goes... Take a page from the playbook of FreeBSD or any
Linux distro for that matter.

   http://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/

or

  http://www.mirrorservice.org/sites/releases.ubuntu.com/17.10/

In summary, a single CHECKSUM file listing each file and its related
checksum. This is a standard layout that many tools can handle and can
be used to verify many files in one go. There are tools that can
generate these complete files too.

On a side note:
   MD5 and SHA1 is loosing popularity (but still better than nothing).
   SHA256 or SHA512 should now be the norm.


Regards,
   Graeme

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Fri, December 1, 2017 00:18, Graeme Geldenhuys wrote:  .
 .

Sorry, I know that this is being done, but I don't see how is that more
secure than just downloading the file via HTTPS. As long as the checksums
are not signed, they may be tampered with (or not) the same way as the
original files. Obviously, there are more secure mechanisms (let's take
Debian packages with their signatures as an example), but these require
more overhead (especially with different release makers for different
targets) and still end up with requiring some root trusted element at the
beginning (which usually needs to be downloaded via the same mechanisms as
the installation files in the end which implies that it's still as secure
as the download channel used for getting the files).

Tomas


_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On 2017-11-30 23:35, Tomas Hajny wrote:
> Sorry, I know that this is being done, but I don't see how is that more
> secure than just downloading the file via HTTPS.

Not all files are downloaded via a secure protocol like HTTPS. That's
true for FreeBSD, Linux and I would guess even for Free Pascal's
releases (main site and whatever mirrors are available).

I also prefer FTP over HTTP(S) for downloading ISO's or large files -
thus an untrusted connection, but fast. I'd rather have some checksum
than nothing - simply for verifying that my download is not corrupt in
any way.


Regards,
   Graeme

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On 2017-11-30 23:35, Tomas Hajny wrote:
> Obviously, there are more secure mechanisms (let's take
> Debian packages with their signatures as an example), but these require
> more overhead (especially with different release makers for different

Not every release maker needs to create there own checksums. Only one
person needs to do a checksum against all release files in a directory
(at the end of the release builds). You then have a CHECKSUM file
listing all release files. If you want to be extra paranoid, then yes,
use GnuPG and sign that file. Again, you only need one GnuPG key used by
all Free Pascal releases. Creating the GnuPG key is a once off task.
Generating the summary checksum file and signing it can all be scripted
(probably in the same script that uploads all the release files to the
server).

Regards,
   Graeme

--
fpGUI Toolkit - a cross-platform GUI toolkit using Free Pascal
http://fpgui.sourceforge.net/

My public PGP key:  http://tinyurl.com/graeme-pgp
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal

On Thu, 30 Nov 2017 23:26:31 +0100
"Tomas Hajny" <[hidden email]> wrote:

This is part of one of my install scripts for latest vagrant:

VAGRANT_DEB=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_i686.deb
VAGRANT_SUMS=https://releases.hashicorp.com/vagrant/2.0.1/vagrant_2.0.1_SHA256SUMS
until [ \
  "$(sha256sum vagrant_2.0.1_i686.deb)" = \
  "$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ]
do wget -c $VAGRANT_DEB; done
sudo dpkg -i $(basename $VAGRANT_DEB)

Wikipedia provides gpg signatures for each release file:
gpg --recv-keys 9D3BB7B0
URL=https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.2.tar.gz
wget $URL{,.sig}
gpg --verify $(basename $URL).sig

Riseup.net takes it one step further and sign important statements and
certificates:
https://riseup.net/en/canary
https://riseup.net/en/security/network-security/riseup-ca

In your case it would be probably enough to
sha256sum $FILES > SHA256SUMS.txt
gpg --sign SHA256SUMS.txt

Thanks!
Kardan
_______________________________________________
fpc-pascal maillist  -  [hidden email]
http://lists.freepascal.org/cgi-bin/mailman/listinfo/fpc-pascal