[Dev] Cleaning up the repos

Luke Shumaker lukeshu at sbcglobal.net
Sat Nov 29 22:19:14 GMT 2014


At Sat, 29 Nov 2014 21:44:02 +0000,
laigualdad wrote:
> >I'm updating it to point to 2014.10.07 now.
>
> OK then, no need for me to add it to the bug tracker.
> 
> I will add a note about the expired domain though.
> 
> And...you were right about the file verification methods being used,
> there is no issue. It was just my paranoia getting ahead of rational
> thought.
> 
> Thanks! :)

You're welcome, and don't forget to Cc: the list!

--
Happy hacking,
~ Luke Shumaker

> On November 29, 2014 1:41:31 PM EST, Luke Shumaker <lukeshu at sbcglobal.net> wrote:
> >At Sat, 29 Nov 2014 01:07:44 +0000,
> >laigualdad wrote:
> >> The main repo is repo.parabola.nu, right? I presume that is the one
> >> that the others sync with.
> >
> >Yes; though some are probably trying to sync with
> >repo.parabolagnulinux.org, which should be the same server, but the
> >domain has expired.
> >
> >> There is a directory called "latest" which contains the image from
> >> last year. :) It looks like potential confusion could be prevented
> >> by simply deleting it, since the "2013.09.01" directory is
> >> identical.
> >
> >If you browse to <https://repo.parabola.nu/iso/>, you can see that
> >"latest" is a symlink to "2013.09.01".
> >
> >It was never updated to point to "2014.06.01" because nobody was
> >willing to sign the ISO, as it was contributed instead of created by
> >one of the normal developers (he's a normal contributor now, but
> >wasn't at the time).
> >
> >I'm updating it to point to 2014.10.07 now.
> >
> >> The other repos that are not identical simply seem to have not
> >> synced in a while, but I know that's typical in a small distro.
> >> 
> >> In the most recent directory, "2014.10.07", an .sfv (Simple
> >> verification) file is provided rather than a checksum
> >> file. Scratching my head at this. Before now, I'd never even heard
> >> of SFV. A quick search gives me many sources saying that SFV cannot
> >> be used to verify a file's authenticity. Even MD5 hashes are
> >> better. However, these days, we shouldn't use anything less than
> >> SHA-2 hashes (sha256sum, for example), because everything weaker has
> >> been broken!
> >
> >The checksums are only a quick check if the file/download was
> >corrupted; authenticity should be verified with the PGP '.sig' file.
> >
> >--
> >Happy hacking,
> >~ Luke Shumaker
> 



More information about the Dev mailing list