On 4/17/20 11:19 PM, Kevin Buckley via lfs-dev wrote:
On Wed, 15 Apr 2020 at 06:09, Uwe Düffert via lfs-dev
<[email protected]> wrote:
...
about a certain versioned/timestamped archive matches the checksum of
presumably the same archive fetched from any other mirror. After all,
checksumming is about increasing trust and not about (unnecessarily)
sowing doubts. Now, every mismatch can be considered problem - as it
should.
Not a solution for everyone but,
note that the bootscripts tarball is generated from the Book's sources.
So, if a user is able to download a checksum-ed tarball of the Book
sources (full trust) and render that locally, the problem goes away,
even though the checksum of the locally generated tarball may not
match that quoted in the Book (chain oif trust?).
The md5sum for the development book is always matches what it in the
book, but that changes daily. If you download it on one day and check it
against another render of the book, it will be different because of the
timestamps. The solution is to just check today's tarball against
today's book.
For stable releases (including -rc releases), it requires some manual
work to make the md5sum permanent. That's a little trickier.
I suppose a different solution is to just not publish the md5sum for the
units and bootscripts tarballs. That's the situation in BLFS.
-- Bruce
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
