[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Need better release validation documentation/strategy.

From: Bob Friesenhahn
Subject: Need better release validation documentation/strategy.
Date: Fri, 8 Apr 2022 08:30:10 -0500 (CDT)
User-agent: Alpine 2.20 (GSO 67 2015-01-07)

Today I saw an announcement for a new version of gzip. It provided lots of data for how to verify the downloaded tarballs. I recently saw a very similar announcement for a new version of libtool. I am not sure where the template of this announcement text is coming from, and if anyone has validated that recipients will be able to make sense of it.

The problem is that the advice in the announcements regarding use of 'gpg' just doesn't work (commands fail), and even the SHA256 checksum is described as "SHA256 checksum is base64 encoded" which I was previously only seeing from the BSD-oriented OpenSSH project which might be using a BSD tool which produces such checksums.

It seems like Automake and GNU in general should be trying to help with producing releases and release announcements which assist users with verifying the release tarballs rather than just leaving them royally confused.

If ordinary people are not able to use the data provided with the release announcement, then they will not be validating the tarballs that they run-across. Download statistics suggest that the vast majority of source-code tarball downloads are not being validated at all.

If 'gpg' commands are provided, then they should be able to work by default on popular OS platforms. Likewise, if a SHA256 checksum is provided and something new like "SHA256 checksum is base64 encoded", then instructions should be provided for how to use mature GNU tools (and/or popular non-GNU tools) to reproduce such a checksum.

While I was able to figure out how to use a combination of openssl and base64 to create matching SHA256 checksums, I doubt that most people would be willing to spend a half hour researching and figuring out how to do this. I was not able to figure out how to produce a similar SHA256 checksum using the GNU software provided by the OS I am using.

I am not sure who the target audience is for GNU releases these days, but if it is not normal people who are still willing to compile software from source code on popular systems such as GNU/Linux, then there is a problem.

Bob Friesenhahn,
GraphicsMagick Maintainer,
Public Key,

reply via email to

[Prev in Thread] Current Thread [Next in Thread]