Hi, Il 19/04/20 13:03, Gert Doering ha scritto: > Hi, > > On Sat, Apr 18, 2020 at 02:30:46PM +0200, Simon Matter wrote: >> A long time ago I was asking them to also show MD5/SHAXXX checksums so I >> can easily verify the downloads. My request was turned down for reasons I >> still don't understand. At least it could give us some peace of mind when >> downloading OpenVPN and the PGP stuff doesn't work or is not used by the >> person downloading it. > > True... Samuli, are you listening? Adding SHA256s to the release > announcement might not be so hard to integrate into your process, and > help in case GPG acts up again.
> (Mostly because "the mail on the list is signed, the other openvpn > developers see it, and if someone tries to play games, we'll notice") Having SHA256 sum in the _release announcement_ is good, because it can't be forged easily. But I would also have have it on the download page. I just need to ask our webmaster to add that field. If the website is tampered then we still have the release announcement to refer to. On a related note: I think we should consider stopping the distribution of the security list's public key from our webservers and just instruct people to fetch the key from the keyservers and refresh it if they have trouble. Meaning: I don't see the extra value distributing the key from our webserver gives anyone. But please correct me if I'm missing something. > > gert > > > > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
