Safe way to get the md5sum files?

Talk about the project itself, the community, where we are and what we need. Great place to introduce yourself and make friends as well.

Safe way to get the md5sum files?

Postby MReimer » Mon Mar 23, 2020 2:52 pm

Hello,

I'm trying to set up package autobuild using an continuous integration system. I don't want the hassle of checking GPG signatures. Setting up software in context of a hosted CI service is not easy and sometimes even impossible or not allowed.

Best way would be to be able to access the md5sum files using some "secure" connection.

For example, Arch Linux itself has this:

https://www.archlinux.org/iso/latest/sha1sums.txt

Fast, easy, secure and simple way of getting a "trustworthy" checksum to compare files downloaded from mirrors to.

This could also help when installing manually. You could link the proper md5sum file with each installation instructions so people can check their downloads manually.

Does something like this exist for archlinux ARM and if not: Could you symlink them to some place on your webserver so they can be downloaded via encrypted HTTPS?

Edit: You actually link the MD5 files here:
https://archlinuxarm.org/about/downloads

Fiddling with the URL brings me to this: https://archlinuxarm.org/os/ArchLinuxAR ... tar.gz.md5

And this link downgrades to HTTP... Useless this way. If a mirror is compromised, then the "hacker" would replace the md5 files, too. Having them on the trustworthy source would really help here.
MReimer
 
Posts: 17
Joined: Sun Jul 14, 2013 12:28 pm

Return to Community

Who is online

Users browsing this forum: No registered users and 1 guest