1.3.0 checksums and release dates
Posted: Thu Sep 30, 2010 3:44 pm
I'm trying to build 1.3.0 using macports. Unfortunately macports complains that the checksums are not correct. There appears to be some underlying problems:
1) numerous sites appear to have announced 1.3.0 availability on September 14, whereas the release notes and most authoritative source distribution are dated September 18. I noticed that the macports changeset that includes the checksums is dated September 14, but these checksums are not the same as those provided in the release notes provided several days later, suggesting that some source discrepancies in the release, perhaps with nothing different other than the inclusion of release notes.
2) the release notes available by web can't be verified by SSL (the domain is virtually hosted but the certificate is expired and doesn't support virtual hosting), meaning that they can't be authoritatively attributed
3) the inability to attribute the release notes can't be overcome, as they provide a checksum rather than a signed digest of the release, which could be verified by other means
It would be helpful if someone might clarify what might have caused the immediate issue in item 1 and say whether anything might be done about the release verification issues when items 2 and 3 are taken together.
1) numerous sites appear to have announced 1.3.0 availability on September 14, whereas the release notes and most authoritative source distribution are dated September 18. I noticed that the macports changeset that includes the checksums is dated September 14, but these checksums are not the same as those provided in the release notes provided several days later, suggesting that some source discrepancies in the release, perhaps with nothing different other than the inclusion of release notes.
2) the release notes available by web can't be verified by SSL (the domain is virtually hosted but the certificate is expired and doesn't support virtual hosting), meaning that they can't be authoritatively attributed
3) the inability to attribute the release notes can't be overcome, as they provide a checksum rather than a signed digest of the release, which could be verified by other means
It would be helpful if someone might clarify what might have caused the immediate issue in item 1 and say whether anything might be done about the release verification issues when items 2 and 3 are taken together.