> > Nitpick: Not CRC checksums, as those are only good to detect gross data
Fair, "hash" would be the better term that I meant. On Tue, Feb 4, 2025 at 7:00 AM Alexander Schreiber <a...@thangorodrim.ch> wrote: > On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote: > > Beyond just the compiler, there are also optimization and other settings > > (like the multitude levels of C-compliance or how strict to be about > > warnings, or conditional-builds to tailor it specific situations). > > > > Regardless, proper binary deliveries come with CRC checksums. This isn't > > Nitpick: Not CRC checksums, as those are only good to detect gross data > corruption (e.g. an entire page/sector being zeroed). The standard these > days is proper cryptographic hashes that are still known to be strong > (e.g. not MD5, as it is known to be weak and collisions can be generated, > but SHA256/SHA512) and the hashes cryptographically signed. > > > just to verify that you downloaded the file correctly, but to also help > > verify that you've used the exact same "Bill of software material" > (SBOM), > > versions of dependencies, and other settings to produce that same binary. > > Reproducible builds is an issue by itself and requires careful attention > to the build systems. But it should be a base standard. > > Kind regards, > Alex. > -- > "Opportunity is missed by most people because it is dressed in overalls and > looks like work." -- Thomas A. Edison >
