problem on your site: using SHA-256 and saying it is SHA-1
Todd Zullinger
tmz at pobox.com
Tue Feb 16 18:16:51 UTC 2010
Hi Andrew,
Andrew W. Hagen wrote:
> Hello, I was just downloading Fedora off your site. I tried to
> verify the download. The downloads did not verify. For example,
>
> Fedora-12-i386-DVD.iso
>
> as downloaded has a SHA-1 checksum of
>
> 0dc8ed436f0b44874454a379e8de5ad057c0115d
>
> but under the verify section,
>
> https://fedoraproject.org/static/checksums/Fedora-12-i386-CHECKSUM
>
> you say that its "SHA-1" checksum is
>
> f0ad929cd259957e160ea442eb80986b5f01daaffdbcc7e5a1840a666c4447c7
>
> As you can see, the two checksums don't even have the same length.
>
> The checksum you posted does match the SHA-256 checksum of the file,
> however.
>
> If you post SHA-256 checksums, and not SHA-1 checksums please note
> that. It will save people time. Thank you.
There is a large note on https://fedoraproject.org/verify about this:
Please note that the Hash: SHA1 line in the CHECKSUM file is part
of the PGP signature. It does not specify the type of hash used to
verify the .iso files.
Many people are confused by this and we plan to include text in the
CHECKSUM files themselves for future releases to make it clearer.
Thanks,
--
Todd OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
A budget is just a method of worrying before you spend money, as well
as afterward.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 542 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/websites/attachments/20100216/a5e1a27a/attachment.sig>
More information about the websites
mailing list