X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fastmail.com; h=
	content-transfer-encoding:content-type:date:from:in-reply-to
	:message-id:mime-version:references:reply-to:subject:to
	:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; bh=3x6lCiUKyqWtq36fA
	V5pZ4KfAmfMse7MMu/ybHdg1bE=; b=DcicVj+Z3zNxELEcdRufduBFgyO6Scv6e
	96z/o/9rj2kOU3QXZzKOZRtwl2INVNEgc8ik95gXcX22fIwzfIWpyx3iGhXgbK/u
	X3LK52Oh0cRmypGrEdTsLQEigo4/a3p+rn0z4kb3V/ynQ39baVlKcz7R++O56qHC
	HpTsdMCh4pAUKblp8uoxYFpe1PNao0aTnNbfVQuaIVeY3H1rYbD5eqzpt0AGBe/y
	1OWi/VzSBCYi/EwGD3xbo/riYIc8Zy7W0z7VYeM9tXlgEguI4mR3ugTLOiPfj51d
	JCDbRmDQwLCg73eqt4+UZ+tGwFRHy6SkUGrrQb0TagDQtxGUvLTeA==
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=content-transfer-encoding:content-type
	:date:from:in-reply-to:message-id:mime-version:references
	:reply-to:subject:to:x-me-sender:x-me-sender:x-sasl-enc; s=fm3;
	 bh=3x6lCiUKyqWtq36fAV5pZ4KfAmfMse7MMu/ybHdg1bE=; b=hHFmB5/MNxAM
	YLUdekmrrWwqYpoLBVz6P8ryrVoXQvyD31DQHQSaMB5/QUTAonFuUHyI/MBGUMMv
	OMYnaXxngyJILYgiNs7FRXTzU44i0H91+e/TIQPKr7dFD7guGp3YTURfPFDIlncE
	aTSdRVSyiSarlzvmLJXV+3h8N8gkKQn87DhaX20YUysX+xvYc4y6vREp1kplb0ii
	yAkMclzr3eySy3Q20RzyJtse+kBs0Hlx65vrZWmjAer7wO9/d6kc2qZ0OkSbIbTo
	DLdSO2NsHlM82DKXV1+KTiHIFRHDbxEGRyKdtWOlpTLinRNZ69hQ4Prqk921KDej
	snMFdQmJyw==
X-ME-Proxy: <xmx:AiGQWxcKNNeXio8O3dE8QeYrT9h6p__4pH12boDn_NX7OMogibNBxg>
    <xmx:AiGQW3dA6g8umrmIEtecJJ5olzj5bBHm7bnF0HfxnFnS4_UCPnN92Q>
    <xmx:AiGQWwatOdp2sQVO7W5ozf7P-2xb8LOtZS7LWdHkR64wE55MDIGxog>
    <xmx:AiGQW8or5OwFn-GL0598y3eRlnvqiWhgJxNMRneOmv0uK-Z5HhSvsg>
    <xmx:AiGQWzYlfuktQbPXEInR_-wQIeiF53y5-XCvFAmIvcyMKcKWt_KrUQ>
    <xmx:AiGQWyC6fdHuWd6lXB0eG2AtYnSDelTCcHURXHJA1p1oL5ja585CVw>
X-ME-Sender: <xms:AiGQW1DikBz418yut4CBBcDeOX9MLTPxk52JNTeZzXhQ7El6S0QupQ>
Subject: Re: [geda-user] [pcb-rnd] anniversary release: 2.0.1
To: geda-user AT delorie DOT com
References: <alpine DOT DEB DOT 2 DOT 00 DOT 1808290436410 DOT 21900 AT igor2priv>
 <0cf4753a-6fac-2e90-bdef-ab27e127810a AT fastmail DOT com>
 <alpine DOT DEB DOT 2 DOT 00 DOT 1809050708420 DOT 21900 AT igor2priv>
From: "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
Message-ID: <1b455a32-722e-3224-bf81-28ca77523c23@fastmail.com>
Date: Wed, 5 Sep 2018 11:28:15 -0700
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101
 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <alpine.DEB.2.00.1809050708420.21900@igor2priv>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com
Precedence: bulk


On 09/04/2018 10:19 PM, gedau AT igor2 DOT repo DOT hu wrote:
> Hello Girvin,
>
> On Tue, 4 Sep 2018, Girvin Herr (gherrl AT fastmail DOT com) [via 
> geda-user AT delorie DOT com] wrote:
>
>> Greetings,
>>
>> I just downloaded this version. However, there does not seem to be a 
>> check file to verify the contents. Is there an md5, or better, a 
>> gnupg ".asc" file to verify the file I downloaded is correct?
>>
>> If an asc file, where can I find the gnupg key to check it with?
>
> Here are the md5sums:
>
> ee0974eeff3f256f295b80cf993ac8e0  changelog-2.0.1.txt
> a2f2cf0651851fce54dfed13b9ca3e5c  pcb-rnd-2.0.1.tar.bz2
> 31f5fbff478fad8fa9ada5db26953230  pcb-rnd-2.0.1.tar.gz
> c0a16d875eb2d84f40c7acba26d203cc  pcb-rnd-2.0.1.zip
> dd523cba0e62e315c409c9fc9e04e61f  relnotes-2.0.1.txt
>
> sha1sums:
>
> d39014632b5da585a51715af11cc069288800253  changelog-2.0.1.txt
> 3f00ceb8e58c298109437ee187ef382cc64b5c86  pcb-rnd-2.0.1.tar.bz2
> 37793ad5a2414b9c67cb386eee711f62b94b5899  pcb-rnd-2.0.1.tar.gz
> 5e9efd428625b92dff8201fb510e3160c52399ae  pcb-rnd-2.0.1.zip
> 534a9764d0a394813c64138ba2379178e37d3f7a  relnotes-2.0.1.txt
>
> Transmission:
>
> If you are worried about truncated files: the http header contains the 
> file length so your browser or donwloader would know if it received a 
> truncated file. If about transmission errors (random bits changing): 
> tcp/ip has checksums built in, that's usually enough, but probably 
> gzip/bz2 would also detect the problem.
>
> Security:
>
> We don't have automatism for checksum publication, because we don't 
> have a second channel (everything goes through repo.hu) so it wouldn't 
> mitigate an attack against repo.hu. I am sending this mail from 
> repo.hu too so although you get it through DJ's mailing list server, 
> the md5sums are really coming from the same machine as the tarballs - 
> won't increase security. I mean if a hypotetical attacker gains access 
> to that machine and alter the tarballs, he'd also alter the checksums 
> or signature published from/on the same machine.
>
> Best regards,
>
> Igor2

Igor2,

Thanks for the checksums.

I still feel better that what I have on my machine is what you expect me 
to have. I am not so concerned about transmission errors as about 
security. As you say, the sums could be hacked too, but that is why I 
prefer the gnupg key system. It is more difficult to hack, especially if 
the key is stored offsite, such as the gnupg website.

FYI: To go one step further, I automatically check the files again in my 
Slackware Linux package buildscripts before I even start creating a 
Slackware package for installation.

Thanks again and take care.
Girvin Herr