Mailinglist Archive: opensuse-factory (649 mails)

< Previous Next >
Re: [opensuse-factory] leap 42.3 great, sha256 bug or feature?
On Tue, Aug 01, 2017 at 11:47:44PM +0200, Peter Mc Donough wrote:
Am 01.08.2017 um 23:25 schrieb Roman Bysh:
On 01/08/17 05:02 PM, Peter Mc Donough wrote:

Two different download locations.
The message in German:
sha256sum: WARNUNG: 14 Zeilen sind nicht korrekt formatiert
Something wrong?

It says WARNING: 14 lines are not formatted correctly.
The only line you need to look at is the sha256 line.

Ah, I see, it is "OK"!

peter@kubu-lux:/xt/lokal/zusatz/ISOs/ISOs_suse$ sha256sum -c
openSUSE-Leap-42.3-DVD-x86_64.iso.sha256
openSUSE-Leap-42.3-DVD-x86_64.iso: OK


I was pondering this last night, burning a disk at work as a high
bandwidth sneaker-net. K3b nicely calculated an md5sum, so I went to
look for an md5sum, and then tripped over the same warning - but I'd
come across it before.

There's a difficult balancing act between the level of assumed knowledge
and wanting to keep things simple enough not to put too many barriers
up. It is also far better to instill good habits from the outset than
try to fix bad ones later.

Trying to look at this with fresh eyes, from the perspective of a new
user, we don't make these validation steps very easy. Ever had a user
(rightly) ask why the known host key of an ssh server has changed and
how/where to validate it? How many times do you know a server key has
changed but have never been asked by a remote user to validate it?

Perhaps sha256sum could be improved to recognise a GPG key and send a
better informational back to the user? It seems a common use case.


So, I then went through the newuser friendly "front door":

https://software.opensuse.org/distributions/leap

And there is a helpful link:

https://en.opensuse.org/SDB:Download_help#Checksums

Might it be worth cribbing some of the info and creating an old
fashioned readme to drop into the distribution mirrors alongside the
iso & sha256 files? Or even add a brief warning/explanation in the
checksum files themselves?

This might just be for the recursively paranoid, but is there an
over-arching set of scripts that actively check changes made to key
fingerprints on the twiki & web pages?

Daniel

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups