[Dev] Cleaning up the repos

The Mighty Gravi themightygravi at inventati.org
Sat Nov 29 11:34:31 GMT 2014


laigualdad <laigualdad at riseup.net> writes:


> In the most recent directory, "2014.10.07", an .sfv (Simple
> verification) file is provided rather than a checksum file. Scratching
> my head at this. Before now, I'd never even heard of SFV. A quick
> search gives me many sources saying that SFV cannot be used to verify
> a file's authenticity. Even MD5 hashes are better.

SFV does not provide any authenticity verification, as md5, SHA-1/2 do not
either. Its purpose is to provide the fastest integrity verification.

Authenticity (and an added checksum embedded layer) resides on the gpg sign (.sig) in the same directory,
which may point to some dude, indeed, familiar to me...

At this point, ISO is trustful.
> My request is that, for the quickest solution, a sha256sums file be
> included in the repos as it was in previous images. I need to download
> the image to start fresh after

If you really find this as an issue, I would suggest you to fill a bug on
labs.parabola.nu so we can examine it and add to our list of pending
TODOs. One for every different issue, giving as much details you feel
are necessary.

As older ISOs are not longer maintained and I have no way to verify how
they were built or who was the responsible I can do nothing, thus I'm
unable to sign them.

Expect some changes on new releases from next year on, beginning with
the contribution of your suggestions at labs..



More information about the Dev mailing list