Jesse Keating wrote:
Well, if you have to use a tool from the project, to verify other
bits from the project, the verification just became a lot less
trusted. If you don't trust the bits you got from the project, why
would you trust the tool the project gives you to verify the bits?
"Here use this tool to verify our bits. Trust us, we swear!"
At some point, people need to bootstrap. The situation now is that
there isn't a well trusted tool on Windows that we can point users to
for verifying the *-CHECKSUM files (if you know differently, please
let me know). I'd like to improve that by providing a sha256sum.exe
that we can provide source code for, just as any decent cryptographic
tool should have.
I also think it's important to keep in mind that the use for the
sha256sum.exe is to verify that the bits they downloaded are intact,
not that they have not been altered. To verify authenticity, checking
the PGP signature on the *-CHECKSUM file is required. We explain how
to do both on
https://fedoraproject.org/verify. Many users,
especially Windows users, only care about verifying the data's
integrity.
I believe that providing a sha256sum.exe via
https://fp.o/ is surely
an improvement over "Download the .iso and hope it works or check it
with some third-party checksum tool that we can't even hope to
verify."
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
You will rue this day! Well, go on! Start ruing!
-- Stewie Griffin