On Tue, 14 Apr 2020, Bruce Dubbs via lfs-dev wrote:
On 4/14/20 4:18 PM, Uwe Düffert via lfs-dev wrote:
On Wed, 15 Apr 2020, Martin Qi via lfs-dev wrote:
Md5sum is used to verify whether the downloaded file is correct. If
the official md5sum is inconsistent with that sites, there will be a
feeling that file from sites is wrong or previous version. [...]
I'd second that. From a user perspective, it feels wrong to have
different (e.g.) lfs-bootscripts-$date.tar.xz with the same $date but
different checksums out there, even if we know about the source of that.
It would be nicer to either have only one such master per day or some
other kind of uniqueness like *-$date_$machine or *-$date_$time for each
archive that needs its own timestamp/checksum...
OK, I fixed it,
Thanks!
but note that the md5sums file on the mirrors was consistent with the
files there.
I did note that, but still, a user shouldn't have to care. He should be
allowed to assume that a certain book fetched from any mirror talking
about a certain versioned/timestamped archive matches the checksum of
presumably the same archive fetched from any other mirror. After all,
checksumming is about increasing trust and not about (unnecessarily)
sowing doubts. Now, every mismatch can be considered problem - as it
should.
Uwe
--
http://lists.linuxfromscratch.org/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
