Checksums of release files

[kripton]

Hi,
would it be possible to generate and publish checksums (MD5, SHA1, SHA256, SHA512) of the release files? Many distributions use them (or GPG signatures) to verify integrity. Instead of calculating them for every distribution (and the files might have been maliciously altered already), it would be good to have them available from the trusted source (where the source archives and builds are actually created). Shouldn't be hard to add the checksum-calculating-step to the scripts generating the archives and builds now.

Opinions?

[mcallegari]

Hey, the Debian package creation produce also a .dsc file, which includes the information you mentioned.

Check this out: http://www.qlcplus.org/downloads/4.10.3 ... _amd64.dsc

I can add a link to those files in the website download page, but I doubt many Linux users will actually use it.

[EDIT] actually the dsc file refers to the source package...I'd need to put some effort to generate checksums for each deb package

[kripton]

The .dsc-file is a good start
Since it's probably a tool provided by Debian it might not be easy to add the SHA512-checksum, right?

For me personally, the checksums for the source tars matter most. Oh, and this is what's it for: https://github.com/gentoo/gentoo/pull/989/files
QLC+ can now be easily installed on Gentoo Linux systems and for each version bump, the checksums need to be provided in the Manifest file.

Is the 4.10.3a the fix for the audio-plugin problem with Qt4?

[mcallegari]

Would it help if I publish md5 and sha256/512 sums in the Github tag notes ? (basically here: https://github.com/mcallegari/qlcplus/r ... 2B_4.10.3a)

Is the 4.10.3a the fix for the audio-plugin problem with Qt4?

Yes, and also a couple of regressions introduced by the changes to handle speeds in milliseconds, so please use 4.10.3a.