Adam Williamson wrote: > To be clear, I think the documentation page that Scott linked talks > about SHA-1 not because someone misread the checksum file but simply > because it's _old_. It was written at a time when the checksums > actually where SHA-1. Note the reference to Fedora 7. Indeed. I filed a bug on this when Fedora 11 came out and it didn't get updated. After various discussion and some excellent help from Richard Jones, we have a pretty reasonable way to build a sha25sum.exe that we can distribute from fedoraproject.org and feel more comfortable recommending to Windows users. Unfortunately, this didn't happen in time for Fedora 12. But seeing that it's been broken since Fedora 11, another week or two shouldn't kill us. :) > I think the above page needs to be updated to refer to SHA-256 > checksums. Also, both it and https://fedoraproject.org/en/verify might > benefit from explicitly mentioning the potential confusion between the > signature algorithm and the checksum algorithm, until F13 is current. I'm torn on whether we should call out this issue on fp.o/verify. The page does clearly indicate the command to be used. I fear that adding something like: NOTE: Please don't confuse the 'Hash:' line in the *CHECKSUM file, (which is part of the PGP signature) with the type of hash algorithm used to verify the .iso files might only server to add confusion to those who weren't already confused. I think many of the users who were confused downloaded via the torrents and likely never saw the fp.o/verify page at all anyway. In the end, I think adding some comments directly to the *CHECKSUM files will be much more useful (and is something Jesse has said is on his list of rel-eng tasks -- a list I imagine is fairly long. ;). I think something along the lines of: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To verify the file(s) listed below, run: sha256sum -c Fedora-12-i686-Live-CHECKSUM' See https://fedoraproject.org/verify for more details. 5ad27455df004ee23fbc5a05dfa039a14e59956dccf4e767d493601e0bfa4001 Fedora-12-i686-Live.iso -----BEGIN PGP SIGNATURE----- [...] -----END PGP SIGNATURE----- -- Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Tell a man there are 300 billion stars in the universe, he'll believe you. Tell him a bench has wet paint on it and he'll have to touch it to be sure.
Attachment:
pgpjxfCslMnoE.pgp
Description: PGP signature
-- fedora-test-list mailing list fedora-test-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-test-list
