From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-return-147091-listarch-gcc=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 19620 invoked by alias); 6 Jun 2008 01:03:52 -0000
Received: (qmail 19487 invoked by uid 22791); 6 Jun 2008 01:03:51 -0000
X-Spam-Check-By: sourceware.org
Received: from wa-out-1112.google.com (HELO wa-out-1112.google.com) (209.85.146.182)     by sourceware.org (qpsmtpd/0.31) with ESMTP; Fri, 06 Jun 2008 01:03:22 +0000
Received: by wa-out-1112.google.com with SMTP id k22so554025waf.20         for <gcc@gcc.gnu.org>; Thu, 05 Jun 2008 18:03:20 -0700 (PDT)
Received: by 10.115.22.1 with SMTP id z1mr2384413wai.99.1212714200014;         Thu, 05 Jun 2008 18:03:20 -0700 (PDT)
Received: by 10.114.27.16 with HTTP; Thu, 5 Jun 2008 18:03:19 -0700 (PDT)
Message-ID: <a6265da20806051803l15406680x60902b78e287431e@mail.gmail.com>
Date: Fri, 06 Jun 2008 01:03:00 -0000
From: "Dennis Clarke" <blastwave@gmail.com>
Reply-To: dclarke@blastwave.org
To: gcc@gcc.gnu.org
Subject: A request for md5 hashs to be published
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Mailing-List: contact gcc-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc/>
List-Post: <mailto:gcc@gcc.gnu.org>
List-Help: <http://gcc.gnu.org/ml/>
Sender: gcc-owner@gcc.gnu.org
X-SW-Source: 2008-06/txt/msg00137.txt.bz2

A small request.

Can the md5 sum hash for the various release files be published at the
main GCC release pages ?
If we look at http://gcc.gnu.org/gcc-4.2/ there is no md5 sum there
and while I can find that data at a mirror thus :

ftp://ftp.mirrorservice.org/sites/sources.redhat.com/pub/gcc/releases/gcc-4.2.4/md5.sum

.. there is no statement of the authenticity of that source file.

I can confim that the md5sum from *that* specific mirror is correct
but that does not convince me that I have a valid tar file :

vesta:/mnt/lfs/sources/tarballs# md5sum gcc-4.2.4.tar.bz2
d79f553e7916ea21c556329eacfeaa16  gcc-4.2.4.tar.bz2

The truth is, I can uncompress that tar file and then recompress it
and get a different md5sum for the exact same input file. That would
also be a valid md5 hash but only for my personal internal mirror.
Really, there should be, in my opinion, a single master page with the
md5sum of the uncompressed tar ball and then the average user can
confirm that it is correct from the master signature page.

Dennis