Boost :

Subject: Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?
From: Olaf van der Spek (ml_at_[hidden])
Date: 2017-02-10 08:30:20

• Next message: TONGARI J: "Re: [boost] Review Request : Boost.SIMD"
• Previous message: Joseph Thomson: "Re: [boost] Is there any interest in non-owning pointer-like types?"
• In reply to: Jonathan Wakely: "Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?"
• Next in thread: Steve M. Robbins: "Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?"

On Thu, Feb 9, 2017 at 12:53 PM, Jonathan Wakely via Boost
<boost_at_[hidden]> wrote:
>> Even if you trust Fedora infrastructure (and thus don't check the hash
>> when the archive is downloaded from there), the hash should still have
>> been verified when the archive was first downloaded from SourceForge.
>> At that point updating the Fedora servers should have failed.
>
> Checking the hash is a manual process that should be done by the
> maintainer, it can't cause updating the Fedora servers to fail (the
> infrastructure can't check the hash because it doesn't know what to
> compare it to). I screwed that up for the first cycle of rebuilds I
> did for Boost 1.63.0.

IMO checking hashes should be an automatic process..
You pass the hash and the URL to the downloader, which shouldn't
return any data if the hash doesn't match..

-- 
Olaf

• Next message: TONGARI J: "Re: [boost] Review Request : Boost.SIMD"
• Previous message: Joseph Thomson: "Re: [boost] Is there any interest in non-owning pointer-like types?"
• In reply to: Jonathan Wakely: "Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?"
• Next in thread: Steve M. Robbins: "Re: [boost] What is http://downloads.sourceforge.net/boost/boost_1_63_0.tar.bz2 ?"

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk