Dear ABCL maintainers, I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks! Regards, Ruoyu
On Mar 22, 2023, at 09:33, Ruoyu Zhong <zhongruoyu@outlook.com> wrote:
Dear ABCL maintainers,
I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks!
In the current release process, the files are allowed to change before the signatures are committed to. Did <https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc> change on you? -- "A screaming comes across the sky. It has happened before but there is nothing to compare to it now."
Did <https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc> change on you?
We verify downloads by their SHA-256 checksum, not signatures. But I was able to verify the validity of the signature locally: $ gpg -d abcl-src-1.9.1.tar.gz.asc gpg: assuming signed data in 'abcl-src-1.9.1.tar.gz' gpg: Signature made Thu Feb 23 20:29:07 2023 +08 gpg: using DSA key 5491D207FF9ECDE0BEA277772A9641104DB1773D gpg: issuer "evenson.not.org@gmail.com" gpg: Good signature from "Mark Evenson <evenson.not.org@gmail.com>" [unknown] gpg: WARNING: The key's User ID is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 5491 D207 FF9E CDE0 BEA2 7777 2A96 4110 4DB1 773D $ shasum -a 256 abcl-src-1.9.1.tar.gz a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2 abcl-src-1.9.1.tar.gz
In the current release process, the files are allowed to change before the signatures are committed to.
In that case, I will determine that it is safe to proceed to update the SHA-256 checksum on our end. (I noted that FreeBSD Ports uses the current checksum, too.) Thanks! Regards, Ruoyu
On 22 Mar 2023, at 9:41 PM, Mark Evenson <evenson@panix.com> wrote:
On Mar 22, 2023, at 09:33, Ruoyu Zhong <zhongruoyu@outlook.com> wrote:
Dear ABCL maintainers,
I am a maintainer for the Homebrew package manager. Recently we noticed that the checksum of ABCL 1.9.1’s source tarball, downloaded from https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz, has changed from 9dc2fb0886e97be1906e6d0a96671ef9d0f52b9f91817e4c64741cd18bf8e0d1 (as of 2023-02-20 10:19 UTC) to a5bc677c9441f4a833c20a541bddd16fff9264846691de9a1daf6699f8ff11e2. May I confirm if the source tarball was updated? Thanks!
In the current release process, the files are allowed to change before the signatures are committed to.
Did <https://abcl.org/releases/1.9.1/abcl-src-1.9.1.tar.gz.asc> change on you?
-- "A screaming comes across the sky. It has happened before but there is nothing to compare to it now."
participants (2)
-
Mark Evenson -
Ruoyu Zhong