A request for md5 hashs to be published

A request for md5 hashs to be published

[Dennis Clarke]

A small request.

Can the md5 sum hash for the various release files be published at the
main GCC release pages ?
If we look at http://gcc.gnu.org/gcc-4.2/ there is no md5 sum there
and while I can find that data at a mirror thus :

ftp://ftp.mirrorservice.org/sites/sources.redhat.com/pub/gcc/releases/gcc-4.2.4/md5.sum

.. there is no statement of the authenticity of that source file.

I can confim that the md5sum from *that* specific mirror is correct
but that does not convince me that I have a valid tar file :

vesta:/mnt/lfs/sources/tarballs# md5sum gcc-4.2.4.tar.bz2
d79f553e7916ea21c556329eacfeaa16  gcc-4.2.4.tar.bz2

The truth is, I can uncompress that tar file and then recompress it
and get a different md5sum for the exact same input file. That would
also be a valid md5 hash but only for my personal internal mirror.
Really, there should be, in my opinion, a single master page with the
md5sum of the uncompressed tar ball and then the average user can
confirm that it is correct from the master signature page.

Dennis

Re: A request for md5 hashs to be published

[Joe Buck]

On Fri, Jun 06, 2008 at 01:03:19AM +0000, Dennis Clarke wrote:
> Can the md5 sum hash for the various release files be published at the
> main GCC release pages ?
> If we look at http://gcc.gnu.org/gcc-4.2/ there is no md5 sum there
> and while I can find that data at a mirror thus :
> 
> ftp://ftp.mirrorservice.org/sites/sources.redhat.com/pub/gcc/releases/gcc-4.2.4/md5.sum
> 
> .. there is no statement of the authenticity of that source file.

The versions on ftp.gnu.org are accompanied by digital signatures,
which should give stronger assurance than just an md5 sum.