Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

Zhiming Wang
Hi,

According to the download page
<http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
hosted at sourceware.org
(<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
Just want to make sure, because releases up until 3.12.0 were all hosted
directly on valgrind.org.

Thanks,
Zhiming
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

Mark Wielaard-3
On Fri, 2017-06-16 at 08:05 -0400, Zhiming Wang wrote:
> According to the download page
> <http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
> hosted at sourceware.org
> (<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
> Just want to make sure, because releases up until 3.12.0 were all hosted
> directly on valgrind.org.

Yes it is. We will also soon move the code repository from subversion on
svn.valgrind.org to git on sourceware. Website will most likely stay on
valgrind.org and the bug tracker on bugs.kde.org.

Cheers,

Mark

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

Zhiming Wang
> On Jun 16, 2017, at 9:05 AM, Mark Wielaard <[hidden email]> wrote:
>
> On Fri, 2017-06-16 at 08:05 -0400, Zhiming Wang wrote:
>> According to the download page
>> <http://www.valgrind.org/downloads/current.html>, the tarball of the 3.13.0 is
>> hosted at sourceware.org
>> (<ftp://sourceware.org/pub/valgrind/valgrind-3.13.0.tar.bz2>). Is this legit?
>> Just want to make sure, because releases up until 3.12.0 were all hosted
>> directly on valgrind.org.
>
> Yes it is. We will also soon move the code repository from subversion on
> svn.valgrind.org to git on sourceware. Website will most likely stay on
> valgrind.org and the bug tracker on bugs.kde.org.

Cool, thanks for the info.

Zhiming



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

Zhiming Wang
By the way, just a suggestion, maybe you could publish the
SHA-256 checksums of release tarballs instead of MD5? MD5 was
cracked more than a decade ago (although I haven't looked into
the feasibility of producing a collision that still compiles when
unpacked).

Zhiming


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

John Reiser
On 06/16/2017 06:31 AM, Zhiming Wang wrote:
> By the way, just a suggestion, maybe you could publish the
> SHA-256 checksums of release tarballs instead of MD5?

Please also publish the exact length in bytes.
This is worth _more_ than expanding the width of the checksum,
because it is easier (much easier) to produce checksum collisions
by extending the length.


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Valgrind 3.13.0 tarball hosted at sourceware.org - legit or not?

ISHIKAWA,chiaki
On 2017/06/16 22:55, John Reiser wrote:

> On 06/16/2017 06:31 AM, Zhiming Wang wrote:
>> By the way, just a suggestion, maybe you could publish the
>> SHA-256 checksums of release tarballs instead of MD5?
>
> Please also publish the exact length in bytes.
> This is worth _more_ than expanding the width of the checksum,
> because it is easier (much easier) to produce checksum collisions
> by extending the length.
>
>

It's not signed (by PGP/GPG, for example), is it? I realized that it is
not.(!)
(I saw no trace of signature files for verification on my local PC.)

I know all the pitfalls of signing by open keys, but it still adds a
layer of confidence, much better than a single checksum as noted above.

Thank you again for sharing a great piece of software.

TIA






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Valgrind-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/valgrind-users
Loading...