Jesse Keating wrote: > Well, if you have to use a tool from the project, to verify other > bits from the project, the verification just became a lot less > trusted. If you don't trust the bits you got from the project, why > would you trust the tool the project gives you to verify the bits? > "Here use this tool to verify our bits. Trust us, we swear!" At some point, people need to bootstrap. The situation now is that there isn't a well trusted tool on Windows that we can point users to for verifying the *-CHECKSUM files (if you know differently, please let me know). I'd like to improve that by providing a sha256sum.exe that we can provide source code for, just as any decent cryptographic tool should have. I also think it's important to keep in mind that the use for the sha256sum.exe is to verify that the bits they downloaded are intact, not that they have not been altered. To verify authenticity, checking the PGP signature on the *-CHECKSUM file is required. We explain how to do both on https://fedoraproject.org/verify. Many users, especially Windows users, only care about verifying the data's integrity. I believe that providing a sha256sum.exe via https://fp.o/ is surely an improvement over "Download the .iso and hope it works or check it with some third-party checksum tool that we can't even hope to verify." -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You will rue this day! Well, go on! Start ruing! -- Stewie Griffin
Attachment:
pgpwONjCfmJ1X.pgp
Description: PGP signature
_______________________________________________ Fedora-infrastructure-list mailing list Fedora-infrastructure-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-infrastructure-list
