dscho
commented
9 years ago Please specify where the checksum should be added. Preferably as a Pull Request.
Closed TurnOffNOD closed 8 years ago
dscho
commented
9 years ago Please specify where the checksum should be added. Preferably as a Pull Request.
linquize
commented
9 years ago I think in the release note in https://github.com/git-for-windows/git/releases
dscho
commented
9 years ago My points stand.
TurnOffNOD
commented
8 years ago @dscho In the release page, such as https://github.com/git-for-windows/git/releases/tag/v2.6.1.windows.1
dscho
commented
8 years ago @TurnOffNOD that would not add any level of security: everybody who can intercept the download links can easily intercept (and modify) the release page.
How about using my signature as a measure of trust instead (all of the .exe files are signed with my "Open Source Developer" certificate)?
dscho
commented
8 years ago @TurnOffNOD I only wait for your feedback to close this ticket.
ghost
commented
8 years ago @dsco, I guess it is about recent security news regarding "XcodeGhost".
It is truth that adding checksums to the release note will not improve security of the same file that download to from the same page.
But it will have some "hell country", that block and slow down their internet. Many unfortunate developers download SDK and tools via BitTorrent or non-official mirror sites.
dscho
commented
8 years ago @hkdennis2k let's leave David Scott out of this. Did you know that there is a completion when you type the '@' key in GitHub comments?
Many unfortunate developers download SDK and tools via BitTorrent or non-official mirror sites.
That is a convincing argument. Maybe we can do better than this and provide something like magnet links right away? This would require a command-line tool to seed a given file, of course. Maybe you can get webtorrent to work inside MSys2?
dscho
commented
8 years ago @hkdennis2k @TurnOffNOD any progress in trying to get webtorrent to run on Windows?
TurnOffNOD
commented
8 years ago @dscho Excuse me for my late reply. I was on a business trip last week.
At the beginning I was thinking about a simple method of checking illegal modification and I thought sha256 or sha512 is enough. (Of course we get the checksum from here, so when we download the installer from non-official website or LAN network, it will prevent us from getting a illegal-modified installer.)
I thought signature is a little complicated. If you are concerned about stronger security, signature is also fine.
Besides, what @hkdennis2k said is right, I am living in a country that has a strong Internet-censorship. And that makes the magnet links generated and provided here useless---- I don't know why, magnet links and torrents from foreign websites can't get a high speed when downloading.
As for magnet links, it is not a good idea to us.
Thanks here.
dscho
commented
8 years ago @TurnOffNOD but the checksums are only a red herring, right? The main problem is: how to fix the download speed in your country? Any ideas how to fix that?
ghost
commented
8 years ago It could be an interesting topic if you check also how other open-source project do.
And I realize that the "Git-2.6.2-64-bit.exe" and "PortableGit-2.6.0-64-bit.7z.exe" are already signed by "johannes.schindelin@gmx.de".
Should there are steps to teach everyone how to verify it. e.g. (http://tortoisesvn.net/msiverify.html)
TurnOffNOD
commented
8 years ago @dscho Excuse me I have consulted the dictionary but I am not sure what "red herring" means here.
but the checksums are only a red herring, right? Do you mean "the checksums are only a security warning"?
If my understanding is right, then my answer is "yes".
With checksum or signature, we can download it from a fast-speed non-official website and check it. This will guarantee a no-modification installer.
As for downloading speed, it's more a political problem than a technical problem. Maybe it should be Github's concern.
dscho
commented
8 years ago Excuse me I have consulted the dictionary but I am not sure what "red herring" means here.
@TurnOffNOD it basically means that the checksums are a distraction from the real issue. So while we are getting all hung up and excited about the different ways to verify the authenticity of a file, the actual problem is that you cannot download from GitHub directly because it is too slow.
It could be an interesting topic if you check also how other open-source project do.
@hkdennis2k it is very nice of you to suggest how I should spend my time. At the same time, it would be even nicer if you would study those resources yourself and came back with a summary. We are trying to solve your problem here, after all. I am willing to implement solutions, but I am not willing to do all the work for you.
As for downloading speed, it's more a political problem than a technical problem. Maybe it should be Github's concern.
I do not see how it should now be GitHub's problem. All I do see here is attempts at deflecting real effort to be put into a solution, but instead pretend that it is somebody else's problem to deal with. And I have to admit that I do not like that attitude.
There's got to be ways to make downloads work fast in your country. If that requires one single, slow upload per released version, so be it. I can do that, if I am pointed into the right direction.
dscho
commented
8 years ago Well, uhm, okay. The download problem is still not solved, and I would still be eager to hear what options for download sites exist in restricted networks of the above-mentioned countries.
However, I also wrote a script to automate large parts of the release engineering and there I generate the SHA-256 sums. It is unsatisfying as a solution to me, but it addresses the original wish.
When released , please add the sha512sum or sha256sum of the 4 installers : Git--32-bit.exe ,
Git--64-bit.exe ,
PortableGit--32-bit.7z.exe,
PortableGit--64-bit.7z.exe.
Checksum is enough.