[Ardour-Users] MacBook Air/Ardour

Ralf Mardorf ralf.mardorf at alice-dsl.net
Wed Aug 22 08:54:55 PDT 2018


On Wed, 22 Aug 2018 09:47:22 -0400, Paul Davis wrote:
>We do publish sha5sum's for the nightly builds, but the vast majority
>of people wouldn't have any idea how to even check them.

Hi,

I'm an Arch Linux user, who provides help to novices of the Ubuntu
community.

Handling signed checksums isn't trivial for beginners, so I posted a
script to a few Ubuntu flavour mailing lists, that downloads Ubuntu
flavour desktop images, the checksums and that does import the public
key.

The Ubuntu flavour mailing list communities ensure that the script
isn't malicious, so the inexperienced user could trust using the
script, that will check a downloaded ISO against a signed checksum.

IOW you could post a script to this mailing list and LAU, other
subscribers confirm that the script is ok, so unless somebody does hack
both mailing list Archives, the inexperienced user could compare the
downloaded script from both mailing list archives. Sure, this isn't
perfect, just another layer. In the end even somebody who knows how to
use signed checksums, might not be able to "trust ultimately" [1].

2 Cents,
Ralf

[1]
From the gpg trust command:

"Please decide how far you trust this user to correctly verify other
users' keys (by looking at passports, checking fingerprints from
different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately"

Somewhere a web of trust starts, but key validation is an issue.

https://www.gnupg.org/gph/en/manual/x547.html



More information about the Ardour-Users mailing list