[opensuse] real 12.2 hashes?
3db6556188e7d1eac1392f8e7565a968 openSUSE-12.2-Addon-Lang-i586.iso 378a47c1ee0398e92e4735b83aef8aaa openSUSE-12.2-Addon-Lang-x86_64.iso 7457fbce9717ac9aef7897455ca60cd6 openSUSE-12.2-Addon-NonOss-BiArch-i586-x86_64.iso 0373980cd6f270e1172067b86c044633 openSUSE-12.2-DVD-i586.iso 26dd6c187f743f3af0cbb31eed138a07 openSUSE-12.2-DVD-x86_64.iso cdfa82bbee419524a73ddf30b120f19e openSUSE-12.2-GNOME-LiveCD-i686.iso 14fbb9d62ba66ab6ac1ebf52e6d7d26f openSUSE-12.2-GNOME-LiveCD-x86_64.iso 5b605fd5d467e2d9810f6a9ff93bb40e openSUSE-12.2-KDE-LiveCD-i686.iso ffc91f02ba2a95c71f79f6d8d0a04c96 openSUSE-12.2-KDE-LiveCD-x86_64.iso d23b1a45fa218dc8a538b587d4f33067 openSUSE-12.2-NET-i586.iso a38096acce42e1bf66851390496ee6d9 openSUSE-12.2-NET-x86_64.iso 99ab5095f0169b85e03e313d3451be7a89131b38 openSUSE-12.2-Addon-Lang-i586.iso a7255013ab93047b877a2635bc4bca6e75caf6b3 openSUSE-12.2-Addon-Lang-x86_64.iso 15d3173059fac834e7f30d6a83ca1885948eb3f1 openSUSE-12.2-Addon-NonOss-BiArch-i586-x86_64.iso a73c877f4f52f80dd7d5b768801597727200a7c5 openSUSE-12.2-DVD-i586.iso d11be17560c2b68fddf931a6ae0b2947bd009a10 openSUSE-12.2-DVD-x86_64.iso d1f608043a423b4ea874845aa61afb5abd5aa2f8 openSUSE-12.2-GNOME-LiveCD-i686.iso 598533ebf716a42a6f37cc7c730991b8ae768810 openSUSE-12.2-GNOME-LiveCD-x86_64.iso 6737d7c51916096ddca92ba20ac6e40c03063f64 openSUSE-12.2-KDE-LiveCD-i686.iso df206805f54c2959467a8acbf0621ae97674c9a2 openSUSE-12.2-KDE-LiveCD-x86_64.iso 7a089959c8382305fd5eb1f3cac8934448b0b1b8 openSUSE-12.2-NET-i586.iso fa616deec42082bb7855acb5d6cd6a8b77182e18 openSUSE-12.2-NET-x86_64.iso -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
openSUSE 12.2 is not released yet, so nobody will confirm this. Have a few more days patience, please Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
In Russia there is discussion and some bittorrent info hashes have spread as well. They are already helping to spread the torrents contents, some nodes in many countries are taking part. openSUSE-12.2-Addon-Lang-i586.iso.torrent 3B83F96D 3F664FC7 947E8A37 44925302 0921B201 openSUSE-12.2-Addon-Lang-x86_64.iso.torrent 7B6DE272 4683E815 7F0C0E85 2C9F91C8 AEAE9256 openSUSE-12.2-Addon-NonOss-BiArch-i586-x86_64.iso.torrent B2FD7FB9 B0081EC3 42E1B2B0 2585A99F AD478CA8 openSUSE-12.2-DVD-i586.iso.torrent 5A27390B F5D24F1F DE91C16A 5A266CC6 E995F1A7 openSUSE-12.2-DVD-x86_64.iso.torrent 1B17297B 1C986373 85A6786C F5CE536A 6D2839FE openSUSE-12.2-GNOME-LiveCD-i686.iso.torrent 2306BD7B 7A5F38AF 96ECF07D 081C379C 77A934AD openSUSE-12.2-GNOME-LiveCD-x86_64.iso.torrent 5CAF19CB 9AF9C21B 32C5B509 BF2C6617 7B88F1BE openSUSE-12.2-KDE-LiveCD-i686.iso.torrent B7F33E9B 600DFDCE 2EA20784 69B2A271 349ECDF0 openSUSE-12.2-KDE-LiveCD-x86_64.iso.torrent DB6368FB 0EC5911D 880B2CF7 A6DC2149 D556ACFC Why not early on distributing the bits and load instead of everyone hammering direct download sites on day0 ? Didnt Suse first open the torrent files on the mirrors before in the past and only then later offering the other binaries as well to ease the load? Regard. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Monday, September 03, 2012 13:37:45 cagsm wrote:
[...] Why not early on distributing the bits and load instead of everyone hammering direct download sites on day0 ?
This is the wrong list for this, let's discuss elsewhere.
Didnt Suse first open the torrent files on the mirrors before in the past and only then later offering the other binaries as well to ease the load?
You can do this only on a per directory basis, Andreas -- Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg) GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
verified that: the torrents below of the large x86 and x64 .iso match
the hashes posted earlier
openSUSE-12.2-DVD-i586.iso: A73C 877F 4F52 F80D D7D5 B768 8015 9772 7200 A7C5
openSUSE-12.2-DVD-x86_64.iso: D11B E175 60C2 B68F DDF9 31A6 AE0B 2947 BD00 9A10
On Mon, Sep 3, 2012 at 1:37 PM, cagsm
In Russia there is discussion and some bittorrent info hashes have spread as well. They are already helping to spread the torrents contents, some nodes in many countries are taking part.
openSUSE-12.2-Addon-Lang-i586.iso.torrent 3B83F96D 3F664FC7 947E8A37 44925302 0921B201
openSUSE-12.2-Addon-Lang-x86_64.iso.torrent 7B6DE272 4683E815 7F0C0E85 2C9F91C8 AEAE9256
openSUSE-12.2-Addon-NonOss-BiArch-i586-x86_64.iso.torrent B2FD7FB9 B0081EC3 42E1B2B0 2585A99F AD478CA8
openSUSE-12.2-DVD-i586.iso.torrent 5A27390B F5D24F1F DE91C16A 5A266CC6 E995F1A7
openSUSE-12.2-DVD-x86_64.iso.torrent 1B17297B 1C986373 85A6786C F5CE536A 6D2839FE
openSUSE-12.2-GNOME-LiveCD-i686.iso.torrent 2306BD7B 7A5F38AF 96ECF07D 081C379C 77A934AD
openSUSE-12.2-GNOME-LiveCD-x86_64.iso.torrent 5CAF19CB 9AF9C21B 32C5B509 BF2C6617 7B88F1BE
openSUSE-12.2-KDE-LiveCD-i686.iso.torrent B7F33E9B 600DFDCE 2EA20784 69B2A271 349ECDF0
openSUSE-12.2-KDE-LiveCD-x86_64.iso.torrent DB6368FB 0EC5911D 880B2CF7 A6DC2149 D556ACFC
Why not early on distributing the bits and load instead of everyone hammering direct download sites on day0 ? Didnt Suse first open the torrent files on the mirrors before in the past and only then later offering the other binaries as well to ease the load? Regard. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 03.09.2012 18:08, schrieb cagsm:
verified that: the torrents below of the large x86 and x64 .iso match the hashes posted earlier
openSUSE-12.2-DVD-i586.iso: A73C 877F 4F52 F80D D7D5 B768 8015 9772 7200 A7C5 openSUSE-12.2-DVD-x86_64.iso: D11B E175 60C2 B68F DDF9 31A6 AE0B 2947 BD00 9A10
I am honestly a bit confused by that thread. You verified unofficial hashes against unofficial downloads? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
they are the original torrents though, as the infohashes were taken
from the .torrent files that were uploaded to the mirrors and some
russian mirror published the files early.
verify the hashes as soon as your sources show the torrents.
the opensuse trackers are also replying to the infohashes and opensuse
mirror hostnames are amongst the participating hosts
On Mon, Sep 3, 2012 at 6:10 PM, Martin Helm
I am honestly a bit confused by that thread. You verified unofficial hashes against unofficial downloads? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am 03.09.2012 19:19, schrieb cagsm:
they are the original torrents though, as the infohashes were taken from the .torrent files that were uploaded to the mirrors and some russian mirror published the files early.
verify the hashes as soon as your sources show the torrents. the opensuse trackers are also replying to the infohashes and opensuse mirror hostnames are amongst the participating hosts
On Mon, Sep 3, 2012 at 6:10 PM, Martin Helm
wrote: I am honestly a bit confused by that thread. You verified unofficial hashes against unofficial downloads?
I think you did not understand what I meant. Without confirmation by an official source (opensuse.org) what you post does not become official just because you say so. There is no chain of trust here: Someone took something from somewhere and claims it is official without confirmation from the project which produces that something. That kind of defeats any rules for distribution of binaries for an operating system which claims to be secure. I don't think that helps anyone and does more harm than good even if the iso's are the right ones. What is the point here in doing that instead of just waiting the remaining two days until official release. IMHO nothing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
its as official as it gets so far. the opensuse trackers only track their own stuff. they only answer to the infohashes that they are in charge of. as they are answering to these infohashes i have posted, they are official. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
they are signed by the project keys as the .asc files are available
too. samples:
gpg --check-sigs 0x3DBDC284
pub 2048R/3DBDC284 2008-11-07 [expires: 2014-05-04]
uid openSUSE Project Signing Key
cagsm wrote:
they are signed by the project keys as the .asc files are available too. samples:
I think Martin's point is that whilst the overwhelming likelihood is that you are absolutely right, the only way for anybody to be sure is (a) to be expert enough to know what can be relied upon and what cannot and (b) to check all your statements themselves. Since most people don't pass the hurdle of requirement (a) and probably won't bother with (b) the result could be that they install some clever malware or simply make a mistake whilst installing and thereby create unneeded and unwanted extra stress and work. And so it is simpler just to wait two days - nothing earth-shattering will be changed by an earlier installation. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-04 10:27, cagsm wrote:
they are signed by the project keys as the .asc files are available too. samples:
No matter what you say or show, they are unofficial till some official authority from openSUSE say they are. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBF5GIACgkQja8UbcUWM1yWsgD/fxo91nyIhJG5xTe8JRHqy6h0 kpa1hlXE0kRrNOILen4BAJDnzu+vtw3Mxr/MIJ0Tm/jBjKtLrNvqOi3KN8PlxolH =lcSJ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Just to make this long story short and not to give in to all the lil haters around. I started this thread by asking for the hash info, and eventually was talking to myself pretty much throughout the game and did all the digging and verification myself. So what are you fussing about and complaining all along again? I smell frustration. You mad bro? ^-^ How official are the signing keys again? Do they get any more official ever since they got published back in 2008 or so? Thats as official as it gets. Thats all I see in terms of trust during any releases these days. I dont know any folks around personally. Leaves you with either you trust the keys or you dont. You most likely cannot handshake all the bits that go into the binary files by heart or from memory or whatever other funny means you claim to have. So most likely you just as well rely on cryptography. Thanks again for proving my point. G'day. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-04 14:16, cagsm wrote:
Just to make this long story short and not to give in to all the lil haters around.
What are you talking about? You must be deaf, you are not listening to what we say. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBF+EwACgkQja8UbcUWM1waNQD7BhnP5vVMAb0kUvBHeqCIlUE3 QCP4tI9W72E4MxRGGe4A/jH2k5mmB2wQzdumEzLpJp59gR+4MfzbAOQmrL9cyEuR =2Bw5 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Sep 04, 2012 at 02:16:12PM +0200, cagsm wrote:
Just to make this long story short and not to give in to all the lil haters around. I started this thread by asking for the hash info, and eventually was talking to myself pretty much throughout the game and did all the digging and verification myself. So what are you fussing about and complaining all along again? I smell frustration. You mad bro? ^-^
How official are the signing keys again? Do they get any more official ever since they got published back in 2008 or so? Thats as official as it gets. Thats all I see in terms of trust during any releases these days. I dont know any folks around personally. Leaves you with either you trust the keys or you dont. You most likely cannot handshake all the bits that go into the binary files by heart or from memory or whatever other funny means you claim to have. So most likely you just as well rely on cryptography. Thanks again for proving my point.
Of course for the signing keys you would need to get them from a trusted source. Unless you visit a congress/fair where actual physical media are handed out, or meet a SUSE developer in person, it will be hard to prove the right keys (in paranoid security thinking ;) Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/3/2012 4:10 AM, Andreas Jaeger wrote:
openSUSE 12.2 is not released yet, so nobody will confirm this. Have a few more days patience, please
Andreas
Can we put this to bed now? http://news.opensuse.org/2012/09/05/opensuse-12-2-green-means-go/ -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
this is really full of funny answers and avoiding clear take on the matter I had originally asked. Eventually I found the asc files and verified that it all was legit and official. after all the signing keys of the project have been there many years now. so if the keys were fine for 12.1 and 11.4 or whatever old things it signed and all the patches and updates and security fixes, then it was just as fine for 12.2, wasnt it? close to nobody ever personally out-of-band received any kind of hashes or signatures and key files. so if you and me all trusted the suse signing keys over the last releases then it was of no discussion that the stuff i dug up and verified was the legit bits. why does anyone trust any download site or whatever they download in the first place. even if i had known any staff personally or developers, what assurance would that give me over time that they dont get corrupt, corrupted by the feds or whomever else. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-09-07 12:34, cagsm wrote:
this is really full of funny answers and avoiding clear take on the matter I had originally asked.
Yep. Yours specially. :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iF4EAREIAAYFAlBJ4XgACgkQja8UbcUWM1zKuAD+IAaj4qvBqBiijO9vYlx8g89Y /CmWnRN0qkYRMC9MG9kA/1PAx7WJnA4pCuR6qMdrqHcg3rXcAHC7RwcMne+aEhII =UNfw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Andreas Jaeger
-
cagsm
-
Carlos E. R.
-
Carlos E. R.
-
Dave Howorth
-
John Andersen
-
Marcus Meissner
-
Martin Helm