4 Feb
2025
4 Feb
'25
9:21 a.m.
Nitpick: Not CRC checksums, as those are only good to detect gross data
Fair, "hash" would be the better term that I meant.
On Tue, Feb 4, 2025 at 7:00 AM Alexander Schreiber <als(a)thangorodrim.ch>
wrote:
> On Tue, Feb 04, 2025 at 01:33:48AM -0600, Steve Lewis via cctalk wrote:
> > Beyond just the compiler, there are also optimization and other settings
> > (like the multitude levels of C-compliance or how strict to be about
> > warnings, or conditional-builds to tailor it specific situations).
> >
> > Regardless, proper binary deliveries come with CRC checksums. This isn't
Nitpick: Not CRC checksums, as those are only good to detect gross data
> corruption (e.g. an entire page/sector being zeroed). The standard these
> days is proper cryptographic hashes that are still known to be strong
> (e.g. not MD5, as it is known to be weak and collisions can be generated,
> but SHA256/SHA512) and the hashes cryptographically signed.
>
> > just to verify that you downloaded the file correctly, but to also help
> > verify that you've used the exact same "Bill of software
material"
> (SBOM),
> > versions of dependencies, and other settings to produce that same binary.
>
> Reproducible builds is an issue by itself and requires careful attention
> to the build systems. But it should be a base standard.
>
> Kind regards,
> Alex.
> --
> "Opportunity is missed by most people because it is dressed in overalls and
> looks like work." -- Thomas A. Edison
>