[elinks-users] Re: Broken MD5 checksums for 0.11 Stable GIT snapshot

Jonas Fonseca fonseca at diku.dk
Mon Jan 2 12:59:50 PST 2006

Nelson H. F. Beebe <beebe at math.utah.edu> wrote Mon, Jan 02, 2006:
> I just downloaded 
> 	http://elinks.or.cz/download/elinks-0.11.0.tar.bz2
> 	http://elinks.or.cz/download/elinks-0.11.0.tar.bz2.md5
> 	http://elinks.or.cz/download/elinks-current-stable.tar.bz2
> 	http://elinks.or.cz/download/elinks-current-stable.tar.bz2.md5
> 	http://elinks.or.cz/download/elinks-current-stable.tar.gz
> 	http://elinks.or.cz/download/elinks-current-stable.tar.gz.md5
> While the checksums match on the 0.11.0 archive, they do not on the
> current-stable one:
> 	% cat elinks-current-stable.tar.bz2.md5
> 	0b96713dbe2575de71879c1c8d227636  elinks-current-stable.tar.bz2
> 	% md5sum elinks-current-stable.tar.bz2
> 	cc4f946be41dec5bef5957fd9786f945  elinks-current-stable.tar.bz2
> 	% cat elinks-current-stable.tar.gz.md5
> 	effb899f95b9fe1c0a9dd67099e8b3cb  elinks-current-stable.tar.gz
> 	% md5sum elinks-current-stable.tar.gz
> 	7c0ba6139ac98700672ad1f98dac6fc5  elinks-current-stable.tar.gz

Ok, I've fixed this for now.

> I strongly urge elinks developers to move away from separate checksum
> files, which are only useful to validating integrity of downloads;
> they are useless against tampering, and that is the big problem on the
> Internet today.  In 2003, ftp.gnu.org was compromised, in 2004,
> www.mozilla.org, and this morning carried news that knoppix-std.org
> has been a victim.
> Please consider moving to digital signatures, as the GNU Project now
> requires, with signatures properly registered in several key servers.

Yes, when it comes to real releases I will begin to sign them (starting
soon). I already sign tags for the releases so there is no excuse. The
main reason for this has not been taken care of is that 'setup' with
which elinks.cz is updated is a bit clumsy.

Thanks for the pointers to how to do it.

Jonas Fonseca

More information about the elinks-users mailing list