SHA256, MD5 hashes...

[jgratero]

Where can I find the SHA256, MD5 hashes for the current Windows releases of Xiphos?

[alerque]

We don't currently publicize any hashes. Given the way releases currently happen (fully automated from a Git tag, generated remotely and automatically posted as build artifacts) there wouldn't really be a whole lot of security gained by posting hashes. One of the things they are useful for is making sure remote sources haven't been tampered with, but to really be effective they would need to be computed by a different system and posted on a different channel. Or for that purpose, signed by a developer. If there is a serious need to ward off some specific threat model feel free to post an issue and we'll figure out how to address it.

The other thing they do is confirm you don't have a broken download. The package wrappers tend to do that already, but you can also confirm by downloading and hashing yourself on a separate device.

[greg-hellings]

That said, since the releases are automatic, adding hash values to the release message in Github shouldn't be difficult, either.

…

--Greg

On Thu, Feb 25, 2021, 14:58 Caleb Maclennan ***@***.***> wrote: We don't currently publicize any hashes. Given the way releases currently happen (fully automated from a Git tag, generated remotely and automatically posted as build artifacts) there wouldn't really be a whole lot of security gained by posting hashes. One of the things they are useful for is making sure remote sources haven't been tampered with, but to really be effective they would need to be computed by a different system and posted on a different channel. Or for that purpose, signed by a developer. If there is a serious need to ward off some specific threat model feel free to post an issue and we'll figure out how to address it. The other thing they do is confirm you don't have a broken download. The package wrappers tend to do that already, but you can also confirm by downloading and hashing yourself on a separate device. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1079 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACCZLU4CJAITZQ7RU6LRQ3TA22W7ANCNFSM4YGPNXVA> .