[tor-talk] BitMail.sf.net v 0.6 - Secure Encrypting Email Client
Robert J. Hansen
rjh at sixdemonbag.org
Fri Nov 15 18:06:22 CET 2013
> I'm replying because, Sourceforge? They fell out of vogue...
For a service that's "out of vogue" they still host an awful lot of
Free Software, and for that I think perhaps we should be a bit
thankful. Their bundling is distasteful, yes, but it's hardly the end
of the world given they've only done it with the explicit permission
of the projects involved. Let's keep a sense of perspective and
remember this is GnuPG-Users, not a Sourceforge list.
> 'Robert' should upload his binaries to Github.
Whenever I hear someone say what another developer 'should' do, I
always mentally substitute 'I want this developer to...' instead.
That seems quite a lot more honest.
That said, there are two major problems with this demand:
* The 'Robert' who asked about BitMail never
claimed to be the author and may not have
the legal right to host the binaries
* GitHub hasn't allowed projects to host
binary files in well over a year.
So yes, there are good legal and technical reasons why your demand
cannot be complied with.
> if the MD5 checksum on his compiled binaries matches the MD5 checksum
> on the source code when it is compiled independently, he's golden. That
> is how that works, how it is supposed to work. Accept no substitutes.
Goes against current US-CERT guidance, which deprecates MD5 for all
purposes. The newer SHAs are the way to go. Further, getting two
computers to generate the exact same binary code from the exact same
source code is a surprisingly difficult challenge. It requires a
perfect match of everything from compiler versions to C library
versions right down to identical *clocks* -- because often, compilers
will incorporate timestamps into the output.
Doing checksum validation of source code is feasible. Of binary code,
More information about the Gnupg-users