Opened 7 years ago

Closed 5 years ago

Last modified 11 months ago

#7544 closed feature request (fixed)

GHC downloads are unsigned

Reported by: afcowie Owned by:
Priority: normal Milestone: 7.10.1
Component: Build System (make) Version: 7.6.1
Keywords: Cc:
Operating System: Unknown/Multiple Architecture: Other
Type of failure: Documentation bug Test Case:
Blocked By: Blocking:
Related Tickets: Differential Rev(s):
Wiki Page:

Description

Hi,

I recently came across a feature that is patched in 7.6 but not in 7.4; cause to upgrade. The Haskell website has binary downloads, ie http://www.haskell.org/ghc/download_ghc_7_6_1#x86_64linux but there are no SHA1 hashes or GPG signatures.

This may seem like busy work, but it's important to know who is building software and how it was built. Would it be possible to first of all post md5sums or sha1sums of the builds, and then down the road get that file GPG signed by someone responsible for the process?

Not sure where best to file this; sorry for noise if this is the wrong place.

AfC

Change History (7)

comment:1 Changed 6 years ago by igloo

difficulty: Unknown
Milestone: 7.8.1
Owner: set to igloo

comment:2 Changed 6 years ago by igloo

Owner: igloo deleted

comment:3 Changed 5 years ago by thoughtpolice

Milestone: 7.8.37.10.1

Moving to 7.10.1

comment:4 Changed 5 years ago by thomie

Resolution: fixed
Status: newclosed

Thank you for your feature request. sha256 hashes are available since version 7.8.1, and linked to from the download page. For the latest release, check here. I hope that solves things for you.

comment:5 Changed 5 years ago by nomeata

GPG signatures would still be nice. For example uscan, the tool Debian uses to download upstream tarballs, can automatically verify them by including the corresponding key in the Debian packaging meta-data.

(Not reopening, though, it’s just a thing that’s nice to have, but there are more important things I guess).

comment:6 in reply to:  5 Changed 5 years ago by hvr

Replying to nomeata:

GPG signatures would still be nice. For example uscan, the tool Debian uses to download upstream tarballs, can automatically verify them by including the corresponding key in the Debian packaging meta-data.

fwiw, the announcement contained GPG-signed hashes:

and is also available at

Last edited 5 years ago by hvr (previous) (diff)

comment:7 Changed 11 months ago by bgamari

Component: Build SystemBuild System (make)

The new Hadrian build system has been merged. Relabeling the tickets concerning the legacy make build system to prevent confusion.

Note: See TracTickets for help on using tickets.