I suggest you ...

(Website) md5 sums for downloads

Web sites, no matter how well maintained, are open to being hacked. For this reason, many software authors publish the MD5 checksums for released software. By communicating far-and-wide these MD5 checksums, users downloading the files from the website are given a means to verify their download is uncorrupted. (Corruption occurring either naturally or with malice.)
I propose each Inform 7 release include the publication of the MD5 checksums of the released files. Ideally, these MD5 sums would be published somewhere in addition to the website distributing the files. (e.g. Usenet.)
(To compute the checksum, all the software publisher needs to do is run "md5 <filename>" from a unix prompt!)

4 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    anonymous shared this idea  ·   ·  Admin →

    4 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Ano Nymous commented  · 

        md5 is a broken algorithm, and therefore it can no longer safely verify that something hasn't been altered. You'd need to use one of the newer hash algorithms for that, I think some of the newer SHA variants aren't broken yet.

        See http://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions for reference.

        md5 only serves well to detect unintentional alteration through disk failure, network issues etc., but it is pretty much useless for guarding against intentional manipulation these days.

      • Adminemshort (Admin, Inform 7) commented  · 

        I assume we're talking only about the main build here, not extensions -- but extension files are just text, and it would be exceptionally hard to use them maliciously, I think. (And I suspect that asking extension authors to create a digital signature would seriously cut down on the number of extensions we received.)

      • Dave commented  · 

        Plain checksums or hashes do not provide any real security. If such was was desired I'd suggest using digital signatures instead. Right now, if an extension author cared to, they could trivially provide a separate OpenPGP signature file. It'd probably not be too difficult to find a way to embed such a signature within the extension file itself.

      • Adminemshort (Admin, Inform 7) commented  · 

        We have moved away from usenet as the primary venue for communicating official news about Inform (but I understand that that aspect is not the main point of your suggestion).

      Feedback and Knowledge Base