Mention hashing algorithm/command to check near hash & introduce more

[rugk]

The site should mention what hash algo it uses (looks like SHA-512) so one can check it locally. Just saying "hash" means nothing – could also be an MD5 hash :stuck_out_tongue_winking_eye:

(Also SHA256 should be enough, but well… does not hurt.)

[rugk]

Ahhh it is BLAKE2b-512! :open_mouth: No surprise the hashes don't match… https://github.com/small-tech/should-i-pipe-it/issues/4 :roll_eyes:

Really? How am I supposed to check these locally. No Linux distro has a blake2 CLI hashing tool preinstalled… (and I also don't know how to install one) Can't we have a more convenient hashes?

At least SHA-256 or so should be there…

BLAKE2b may be nice and fast, but really – who cares for hashing one file. We don't need an absurd performance here…

[aral]

Even if it was a more popular hash, the problem is that no one* downloads and checks hashes anyway. Given that unless validation runs at install-time on the actual machine that it’s been installed on, we cannot protect against time-of-check-time-of-use attacks, my thought currently is to create a tiny commandline tool that can be used in place of wget or curl for this purpose.

* Except those three people in Iceland.

[rugk]

Well… if no one does that anyway, why bother and display the hash on the website? If so, then just do remove that? :thinking: (What is the reason for displaying it there, then?)

[aral]

So that people verifying it can copy and paste it like you did for your pull request ;)

[rugk]

Well… only for that…? :thinking: Edit: If you really think so, the hash could be de-emphasized a lot. No one needs it at the top of the site then, e.g. You could just have it labelled as an "internal file ID" (or "file hash") somewhere at the bottom.

(And yes, you caught me… :stuck_out_tongue_winking_eye: :upside_down_face:)