Discussion:
[Valgrind-users] Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?
Zhiming Wang
2017-06-16 12:05:45 UTC
Permalink
Hi,

According to the download page
<http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
hosted at sourceware.org
(<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
Just want to make sure, because releases up until 3.12.0 were all hosted
directly on valgrind.org.

Thanks,
Zhiming
Mark Wielaard
2017-06-16 13:05:42 UTC
Permalink
Post by Zhiming Wang
According to the download page
<http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
hosted at sourceware.org
(<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
Just want to make sure, because releases up until 3.12.0 were all hosted
directly on valgrind.org.
Yes it is. We will also soon move the code repository from subversion on
svn.valgrind.org to git on sourceware. Website will most likely stay on
valgrind.org and the bug tracker on bugs.kde.org.

Cheers,

Mark
Zhiming Wang
2017-06-16 13:06:56 UTC
Permalink
Post by Mark Wielaard
Post by Zhiming Wang
According to the download page
<http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
hosted at sourceware.org
(<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
Just want to make sure, because releases up until 3.12.0 were all hosted
directly on valgrind.org.
Yes it is. We will also soon move the code repository from subversion on
svn.valgrind.org to git on sourceware. Website will most likely stay on
valgrind.org and the bug tracker on bugs.kde.org.
Cool, thanks for the info.

Zhiming
Zhiming Wang
2017-06-16 13:31:52 UTC
Permalink
By the way, just a suggestion, maybe you could publish the
SHA-256 checksums of release tarballs instead of MD5? MD5 was
cracked more than a decade ago (although I haven't looked into
the feasibility of producing a collision that still compiles when
unpacked).

Zhiming
John Reiser
2017-06-16 13:55:15 UTC
Permalink
Post by Zhiming Wang
By the way, just a suggestion, maybe you could publish the
SHA-256 checksums of release tarballs instead of MD5?
Please also publish the exact length in bytes.
This is worth _more_ than expanding the width of the checksum,
because it is easier (much easier) to produce checksum collisions
by extending the length.
ISHIKAWA,chiaki
2017-06-18 07:34:26 UTC
Permalink
Post by John Reiser
Post by Zhiming Wang
By the way, just a suggestion, maybe you could publish the
SHA-256 checksums of release tarballs instead of MD5?
Please also publish the exact length in bytes.
This is worth _more_ than expanding the width of the checksum,
because it is easier (much easier) to produce checksum collisions
by extending the length.
It's not signed (by PGP/GPG, for example), is it? I realized that it is
not.(!)
(I saw no trace of signature files for verification on my local PC.)

I know all the pitfalls of signing by open keys, but it still adds a
layer of confidence, much better than a single checksum as noted above.

Thank you again for sharing a great piece of software.

TIA

Loading...