Nelson H. F. Beebe <[EMAIL PROTECTED]> wrote Mon, Jan 02, 2006: > I just downloaded > > http://elinks.or.cz/download/elinks-0.11.0.tar.bz2 > http://elinks.or.cz/download/elinks-0.11.0.tar.bz2.md5 > http://elinks.or.cz/download/elinks-current-stable.tar.bz2 > http://elinks.or.cz/download/elinks-current-stable.tar.bz2.md5 > http://elinks.or.cz/download/elinks-current-stable.tar.gz > http://elinks.or.cz/download/elinks-current-stable.tar.gz.md5 > > While the checksums match on the 0.11.0 archive, they do not on the > current-stable one: > > % cat elinks-current-stable.tar.bz2.md5 > 0b96713dbe2575de71879c1c8d227636 elinks-current-stable.tar.bz2 > > % md5sum elinks-current-stable.tar.bz2 > cc4f946be41dec5bef5957fd9786f945 elinks-current-stable.tar.bz2 > > % cat elinks-current-stable.tar.gz.md5 > effb899f95b9fe1c0a9dd67099e8b3cb elinks-current-stable.tar.gz > > % md5sum elinks-current-stable.tar.gz > 7c0ba6139ac98700672ad1f98dac6fc5 elinks-current-stable.tar.gz
Ok, I've fixed this for now. > I strongly urge elinks developers to move away from separate checksum > files, which are only useful to validating integrity of downloads; > they are useless against tampering, and that is the big problem on the > Internet today. In 2003, ftp.gnu.org was compromised, in 2004, > www.mozilla.org, and this morning carried news that knoppix-std.org > has been a victim. > > Please consider moving to digital signatures, as the GNU Project now > requires, with signatures properly registered in several key servers. Yes, when it comes to real releases I will begin to sign them (starting soon). I already sign tags for the releases so there is no excuse. The main reason for this has not been taken care of is that 'setup' with which elinks.cz is updated is a bit clumsy. Thanks for the pointers to how to do it. -- Jonas Fonseca _______________________________________________ elinks-users mailing list [email protected] http://linuxfromscratch.org/mailman/listinfo/elinks-users
