Checksums of release files

Post Reply
User avatar
kripton
Posts: 42
Joined: Tue Sep 29, 2015 7:01 pm
Real Name: Jannis

Hi,
would it be possible to generate and publish checksums (MD5, SHA1, SHA256, SHA512) of the release files? Many distributions use them (or GPG signatures) to verify integrity. Instead of calculating them for every distribution (and the files might have been maliciously altered already), it would be good to have them available from the trusted source (where the source archives and builds are actually created). Shouldn't be hard to add the checksum-calculating-step to the scripts generating the archives and builds now.

Opinions?
User avatar
mcallegari
Posts: 4711
Joined: Sun Apr 12, 2015 9:09 am
Location: Italy
Real Name: Massimo Callegari
Contact:

Hey, the Debian package creation produce also a .dsc file, which includes the information you mentioned.

Check this out: http://www.qlcplus.org/downloads/4.10.3 ... _amd64.dsc

I can add a link to those files in the website download page, but I doubt many Linux users will actually use it.

[EDIT] actually the dsc file refers to the source package...I'd need to put some effort to generate checksums for each deb package :(
User avatar
kripton
Posts: 42
Joined: Tue Sep 29, 2015 7:01 pm
Real Name: Jannis

The .dsc-file is a good start ;)
Since it's probably a tool provided by Debian it might not be easy to add the SHA512-checksum, right?

For me personally, the checksums for the source tars matter most. Oh, and this is what's it for: https://github.com/gentoo/gentoo/pull/989/files
QLC+ can now be easily installed on Gentoo Linux systems and for each version bump, the checksums need to be provided in the Manifest file.

Is the 4.10.3a the fix for the audio-plugin problem with Qt4?
User avatar
mcallegari
Posts: 4711
Joined: Sun Apr 12, 2015 9:09 am
Location: Italy
Real Name: Massimo Callegari
Contact:

Would it help if I publish md5 and sha256/512 sums in the Github tag notes ? (basically here: https://github.com/mcallegari/qlcplus/r ... 2B_4.10.3a)
Is the 4.10.3a the fix for the audio-plugin problem with Qt4?
Yes, and also a couple of regressions introduced by the changes to handle speeds in milliseconds, so please use 4.10.3a.
Post Reply