|
From: Zhiming W. <zm...@gm...> - 2017-06-16 12:05:55
|
Hi, According to the download page <http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is hosted at sourceware.org (<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit? Just want to make sure, because releases up until 3.12.0 were all hosted directly on valgrind.org. Thanks, Zhiming |
|
From: Mark W. <ma...@kl...> - 2017-06-16 13:05:50
|
On Fri, 2017-06-16 at 08:05 -0400, Zhiming Wang wrote: > According to the download page > <http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is > hosted at sourceware.org > (<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit? > Just want to make sure, because releases up until 3.12.0 were all hosted > directly on valgrind.org. Yes it is. We will also soon move the code repository from subversion on svn.valgrind.org to git on sourceware. Website will most likely stay on valgrind.org and the bug tracker on bugs.kde.org. Cheers, Mark |
|
From: Zhiming W. <zm...@gm...> - 2017-06-16 13:07:04
|
> On Jun 16, 2017, at 9:05 AM, Mark Wielaard <ma...@kl...> wrote: > > On Fri, 2017-06-16 at 08:05 -0400, Zhiming Wang wrote: >> According to the download page >> <http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is >> hosted at sourceware.org >> (<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit? >> Just want to make sure, because releases up until 3.12.0 were all hosted >> directly on valgrind.org. > > Yes it is. We will also soon move the code repository from subversion on > svn.valgrind.org to git on sourceware. Website will most likely stay on > valgrind.org and the bug tracker on bugs.kde.org. Cool, thanks for the info. Zhiming |
|
From: Zhiming W. <zm...@gm...> - 2017-06-16 13:31:59
|
By the way, just a suggestion, maybe you could publish the SHA-256 checksums of release tarballs instead of MD5? MD5 was cracked more than a decade ago (although I haven't looked into the feasibility of producing a collision that still compiles when unpacked). Zhiming |
|
From: John R. <jr...@bi...> - 2017-06-16 13:55:24
|
On 06/16/2017 06:31 AM, Zhiming Wang wrote: > By the way, just a suggestion, maybe you could publish the > SHA-256 checksums of release tarballs instead of MD5? Please also publish the exact length in bytes. This is worth _more_ than expanding the width of the checksum, because it is easier (much easier) to produce checksum collisions by extending the length. |
|
From: ISHIKAWA,chiaki <ish...@yk...> - 2017-06-18 07:53:47
|
On 2017/06/16 22:55, John Reiser wrote: > On 06/16/2017 06:31 AM, Zhiming Wang wrote: >> By the way, just a suggestion, maybe you could publish the >> SHA-256 checksums of release tarballs instead of MD5? > > Please also publish the exact length in bytes. > This is worth _more_ than expanding the width of the checksum, > because it is easier (much easier) to produce checksum collisions > by extending the length. > > It's not signed (by PGP/GPG, for example), is it? I realized that it is not.(!) (I saw no trace of signature files for verification on my local PC.) I know all the pitfalls of signing by open keys, but it still adds a layer of confidence, much better than a single checksum as noted above. Thank you again for sharing a great piece of software. TIA |