[fpc-pascal] FPC 3.0.4 released!

kardan kardan at riseup.net
Fri Dec 1 00:55:09 CET 2017

On Thu, 30 Nov 2017 23:26:31 +0100
"Tomas Hajny" <XHajT03 at hajny.biz> wrote:

> Checksums may indeed be created / calculated rather easily. However,
> that is not enough. The checksums must get to the end user in secured
> way as well, otherwise it makes no sense. What is the appropriate
> mechanism for that from your point of view? Just listing on our WWW
> pages (since these may be accessed via HTTPS to avoid modification on
> the way) and copying the checksum to the WWW pages with links
> (somewhat time-consuming, unfortunately, due to many download pages
> and many files - I guess that we may provide you with a possibility
> to do this for the next release if you like ;-) )? Or having a signed
> (how - which trusted signature source?) checksum file accompanying
> each and every released file (cluttering the release directories
> considerably)? Or?

This is part of one of my install scripts for latest vagrant:

until [ \
  "$(sha256sum vagrant_2.0.1_i686.deb)" = \
  "$(curl -s $VAGRANT_SUMS|grep $(basename $VAGRANT_DEB))" ]
do wget -c $VAGRANT_DEB; done
sudo dpkg -i $(basename $VAGRANT_DEB)

Wikipedia provides gpg signatures for each release file:
gpg --recv-keys 9D3BB7B0
wget $URL{,.sig}
gpg --verify $(basename $URL).sig

Riseup.net takes it one step further and sign important statements and

In your case it would be probably enough to
sha256sum $FILES > SHA256SUMS.txt
gpg --sign SHA256SUMS.txt


More information about the fpc-pascal mailing list