[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Need better release validation documentation/strategy.
|
From: |
Bob Friesenhahn |
|
Subject: |
Need better release validation documentation/strategy. |
|
Date: |
Fri, 8 Apr 2022 08:30:10 -0500 (CDT) |
|
User-agent: |
Alpine 2.20 (GSO 67 2015-01-07) |
Today I saw an announcement for a new version of gzip. It provided
lots of data for how to verify the downloaded tarballs. I recently
saw a very similar announcement for a new version of libtool. I am not
sure where the template of this announcement text is coming from, and
if anyone has validated that recipients will be able to make sense of
it.
The problem is that the advice in the announcements regarding use of
'gpg' just doesn't work (commands fail), and even the SHA256 checksum
is described as "SHA256 checksum is base64 encoded" which I was
previously only seeing from the BSD-oriented OpenSSH project which
might be using a BSD tool which produces such checksums.
It seems like Automake and GNU in general should be trying to help
with producing releases and release announcements which assist users
with verifying the release tarballs rather than just leaving them
royally confused.
If ordinary people are not able to use the data provided with the
release announcement, then they will not be validating the tarballs
that they run-across. Download statistics suggest that the vast
majority of source-code tarball downloads are not being validated at
all.
If 'gpg' commands are provided, then they should be able to work by
default on popular OS platforms. Likewise, if a SHA256 checksum is
provided and something new like "SHA256 checksum is base64 encoded",
then instructions should be provided for how to use mature GNU tools
(and/or popular non-GNU tools) to reproduce such a checksum.
While I was able to figure out how to use a combination of openssl and
base64 to create matching SHA256 checksums, I doubt that most people
would be willing to spend a half hour researching and figuring out how
to do this. I was not able to figure out how to produce a similar
SHA256 checksum using the GNU software provided by the OS I am using.
I am not sure who the target audience is for GNU releases these days,
but if it is not normal people who are still willing to compile
software from source code on popular systems such as GNU/Linux, then
there is a problem.
Bob
--
Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
- Need better release validation documentation/strategy.,
Bob Friesenhahn <=