From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 103376,4eb65fab6deaa097 X-Google-Attributes: gid103376,public From: "Robert I. Eachus" Subject: Re: Lack of Mature Tools (was: Lockheed Martin, Green Hills, etc.) Date: 2000/04/26 Message-ID: <39069B90.C9A74221@earthlink.net>#1/1 X-Deja-AN: 615807447 Content-Transfer-Encoding: 7bit References: <4eaJ4.23498$hh2.538870@news.flash.net> <8d4lpa$ffu$1@nnrp1.deja.com> <8d531v$vcr$1@nnrp1.deja.com> <8d57mo$4d9@chronicle.concentric.net> <390472E9.E0A17BC6@ftw.rsc.raytheon.com> <8e5hr4$imt$1@nnrp1.deja.com> <87wvll7a5h.fsf@think.mihalis.net> X-Accept-Language: en,pdf Content-Type: text/plain; charset=us-ascii X-Complaints-To: abuse@earthlink.net X-Trace: newsread2.prod.itd.earthlink.net 956734339 63.24.55.95 (Wed, 26 Apr 2000 00:32:19 PDT) Organization: The MITRE Corporation MIME-Version: 1.0 NNTP-Posting-Date: Wed, 26 Apr 2000 00:32:19 PDT Newsgroups: comp.lang.ada Date: 2000-04-26T00:00:00+00:00 List-Id: Chris Morgan wrote: > Are you really suggesting that if I see an announcement of a new > public release of gnat on comp.lang.ada and I then download a file > with that version number from cs.nyu.edu in /pub/gnat that it may > somehow be corrupted? The wrong file? Altered by random strangers? I believe that the right answers are: several times, happened at least once, and has not happened yet--at least on cs.nyu.edu. There are many different versions of each new gnat release that can be found on cs.nyu.edu. There have been uploading problems on several occasions resulting in corrupted files, and at least once the wrong version of a binary was uploaded. Note also that not all of the versions available from cs.nyu.edu are created by ACT and so ACT as such has no way to guarentee conformance for such versions. Having said all that--and RBKD or someone else can provide the gory details--GNAT is probably at least as reliable and robust as Netscape or other products you can download over the net. But if you see the announcement of a new "p" release and download it immediately, there will be times when you will have to go back for the correct version. So yes, Robert is implying that those things can happen and that ACT cannot be responsible--among other things, it is not their server. > This seems like a surprising claim to me. I'll bet you (i.e. ACT) can > be pretty sure that those bits correspond exactly to the ACT build of > that public version just with a sum(1). If you published checksums on > www.gnat.com everybody else could be fairly sure as well, no matter > where they actually downloaded the file from. Better checks are also > easily provided (e.g. MD5) as seen on many other open source or free > software projects. > > Not doing that is perfectly fine, but claiming the resultant lack of > verifiability leads to authenticity problems seems very weaselly to > me. I don't think any weaseling was intended. MD5 checksums would probably be a good idea, but the archive formats do include checksums that detect truncated or corrupted files. When I am concerned about someone maliciously modifying software, however, I much prefer CD as a delivery media. After installing, you should checksum not just the compiler, but the entire directory hierarchy. There are tools to do this. Such tools in fact are included in the DII COE, and in GCCS their use is mandatory.