checksum for release tarballs?


  • Guest -
Is any developer interested in posting a checksum (e.g. SHA256) of the Nwchem-6.0.tar.gz?
This is something of an industry standard for open-source software, and helps ensure that the tarball as downloaded is the intended set of bits.

  • Guest -
We can post a SHA256 checksum for you if needed. Most of the open-source (non-industry) research codes just post source and binary and generally do not list a checksum.

It sounds like you are concerned your download did not go through properly. Can you elaborate.

Bert

Quote: Sep 22nd 8:22 pm
Is any developer interested in posting a checksum (e.g. SHA256) of the Nwchem-6.0.tar.gz?
This is something of an industry standard for open-source software, and helps ensure that the tarball as downloaded is the intended set of bits.

Forum Vet
sha256sum Nwchem-6.0.tar.gz
d16e02f91874190e9b01da74e7479bfe4913b70c7f2c53dd7f6ddafd11b79d28 Nwchem-6.0.tar.gz

Bert




Quote: Sep 23rd 12:27 am
We can post a SHA256 checksum for you if needed. Most of the open-source (non-industry) research codes just post source and binary and generally do not list a checksum.

It sounds like you are concerned your download did not go through properly. Can you elaborate.

Bert

Quote: Sep 22nd 8:22 pm
Is any developer interested in posting a checksum (e.g. SHA256) of the Nwchem-6.0.tar.gz?
This is something of an industry standard for open-source software, and helps ensure that the tarball as downloaded is the intended set of bits.

  • Guest -
Thank you for the checksum (it does match what I have on my system).
I guess my main motivation is less the risk of an accidentally corrupted download, but rather the risk of a malicious man-in-the-middle attack (which is, admittedly, quite unlikely). If I am going to install software on my system, I like to know that it is the same software that the "upstream" is actually distributing, so that the only security risk I incur is that of trusting the upstream to not be malicious. On Debian/Ubuntu/Fedora/RHEL, installed packages are signed and the signature is verified by the package manager; checksums are a cheap alternative that is almost as effective.
Quote: Sep 23rd 12:27 am
We can post a SHA256 checksum for you if needed. Most of the open-source (non-industry) research codes just post source and binary and generally do not list a checksum.

It sounds like you are concerned your download did not go through properly. Can you elaborate.

Bert

Quote: Sep 22nd 8:22 pm
Is any developer interested in posting a checksum (e.g. SHA256) of the Nwchem-6.0.tar.gz?
This is something of an industry standard for open-source software, and helps ensure that the tarball as downloaded is the intended set of bits.


Forum >> NWChem's corner >> Compiling NWChem