checksum for release tarballs?


Click here for full thread
  • Guest -
Thank you for the checksum (it does match what I have on my system).
I guess my main motivation is less the risk of an accidentally corrupted download, but rather the risk of a malicious man-in-the-middle attack (which is, admittedly, quite unlikely). If I am going to install software on my system, I like to know that it is the same software that the "upstream" is actually distributing, so that the only security risk I incur is that of trusting the upstream to not be malicious. On Debian/Ubuntu/Fedora/RHEL, installed packages are signed and the signature is verified by the package manager; checksums are a cheap alternative that is almost as effective.
Quote: Sep 23rd 12:27 am
We can post a SHA256 checksum for you if needed. Most of the open-source (non-industry) research codes just post source and binary and generally do not list a checksum.

It sounds like you are concerned your download did not go through properly. Can you elaborate.

Bert

Quote: Sep 22nd 8:22 pm
Is any developer interested in posting a checksum (e.g. SHA256) of the Nwchem-6.0.tar.gz?
This is something of an industry standard for open-source software, and helps ensure that the tarball as downloaded is the intended set of bits.