On Fri, Oct 30, 2009 at 01:40:05PM -0400, Eric Christensen wrote:
This ticket[1] has been sitting in BZ for a few weeks so I grabbed
it.
I'd like some input on the best way of remedying the issues.
The ticket contains two problems of which I'll address separately.
<QUOTE>
1. It would be much more convenient if there were a Windows utility for
computing checksums available from the Fedora website. Yes, there are links to
other websites that offer such tools, but this significantly reduces the amount
of trust one can place in the tools, especially since they are not typically
mainstream, high profile sites. The page
(
http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-fil...)
even has a prominent warning: "CAVEAT EMPTOR The Fedora Project and Red Hat
Inc.. have no control over external sites such as the ones listed above, or the
programs they provide" in reference to links to Windows checksum tools.
</QUOTE>
I'm not sure what our options are for creating Windows software to
check checksums. Personally I feel that it is out of scope for
Fedora. There are options available to the user but I agree with the
warning provided. Using something like Bit Torrent to download the
ISOs is a good option as the bits are verified automatically but that
doesn't sound like a good option to give to someone running Windows.
Any thoughts?
I don't feel it's out of scope when the purpose is to allow users of
another OS to be sure their downloaded Fedora media is correct.
BitTorrent is the best answer, and there are plenty of BT tools for
Windows to support that. I made a comment in the bug about MinGW and
that it might offer the ability to compile and offer such a tool.
A sha256sum tool is hard to come by on Windows and I didn't find
anywhere with a published version that I'd call trustworthy -- not in
the "you're probably a bad guy" sense, but in the sense of not having
much in the way of signatures and such to trace the work. I don't
feel comfortable sending Fedora users to some random site where a guy
claims he "recompiled and everything worked fine, so here it is."
<QUOTE>
2. From the home page I first clicked on "Get Fedora" in the sidebar. After
downloading the disc image, I clicked on "Verify your download" which led me
to
(
http://fedoraproject.org/en/verify). At the top of this page was a link for
Windows users with the text "Windows user? Follow these instructions instead."
that led to
(
http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-fil...).
But this page for Windows users was not self contained as the word "instead"
implied, since it did not have links to the checksum files. It would clarify
navigation to have all the information needed to verify the download on a
single page, first presenting the checksum files, and then offering a choice
between Linux or Windows for instructions on how to compute the checksum.
</QUOTE>
Well, this does fold into the first problem. Right now the link from
"Get Fedora" sends you to a webpage[2] that provides information on
verifying the checksum from cli. There is a link at the top of the
page that sends you to the "readme-burning-isos" on docs.fp.o (which
may or may not be out of date). This bring up multiple questions in
my head. I don't have a problem putting the information from the
guide on a webpage but should we duplicate the data in the two forms?
Do they both get updated when a change is made? I don't know. But we
should come up with a way forward on this.
Comments encouraged!
[1]
https://bugzilla.redhat.com/show_bug.cgi?id=527060
[2]
http://fedoraproject.org/en/verify
I'd recommend discussion on the bug itself; I cc'd Richard W.M. Jones
who is a MinGW knowledgeable individual, IIRC.
--
Paul W. Frields
http://paul.frields.org/
gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233 5906 ACDB C937 BD11 3717
http://redhat.com/ - - - -
http://pfrields.fedorapeople.org/
irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug