[Slackbuilds-users] md5sums [was: Flowblade]
gen-bch at useyouresp.org.uk
Tue May 2 16:47:53 UTC 2017
On Tue, 2 May 2017 12:28:46 -0400
B Watson <yalhcru at gmail.com> wrote:
> On 5/2/17, General <gen-bch at useyouresp.org.uk> wrote:
> > Which leads me to another [general] question: when getting a
> > source of Github (of which I am not too familiar) , what happens in
> > terms of process that leads to the md5sum's on the
> > slackbuilds.org..... I could not see any published [by the
> > developers] any checksums etc ?
> Whoever writes the SlackBuild downloads the file and calculates its
> md5sum. In other words, they come from the SBo maintainer, not from
> the upstream devs.
> As a user, the md5sum matching means you're using the same source as
> the SBo maintainer wrote his script for... but there's no 'chain of
> trust' beyond that.
> (About now, someone will chime in with 'But md5 is weak and has been
> exploited!', I'll leave that discussion for later...)
> SlackBuilds-users mailing list
> SlackBuilds-users at slackbuilds.org
> Archives - https://lists.slackbuilds.org/pipermail/slackbuilds-users/
> FAQ - https://slackbuilds.org/faq/
Thank you for the reply. Ahh I see. I had it in my mind that
upstream/devs would post a [sourse] release as such with some checksum,
so that when it arrived elsewhere it could be validated (as best one
can) to not have been meddled with.
More information about the SlackBuilds-users