From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mark H Weaver Subject: Re: Torrenting GuixSD! Date: Wed, 25 Feb 2015 10:32:50 -0500 Message-ID: <87oaoidn19.fsf@netris.org> References: <54DE3317.7090002@riseup.net> <87vbj5e83e.fsf@fsf.org> <20150213205028.3f7cb9ba@PocketWee> <87wq382w45.fsf@gnu.org> <20150223205440.GA25828@debian> <87vbiqw0o4.fsf@gnu.org> <20150225141215.GA5109@debian.math.u-bordeaux1.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:41468) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1YQdx4-0003Nz-El for guix-devel@gnu.org; Wed, 25 Feb 2015 10:32:46 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1YQdx0-0003Ym-E5 for guix-devel@gnu.org; Wed, 25 Feb 2015 10:32:42 -0500 In-Reply-To: <20150225141215.GA5109@debian.math.u-bordeaux1.fr> (Andreas Enge's message of "Wed, 25 Feb 2015 15:12:15 +0100") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org To: Andreas Enge Cc: guix-devel@gnu.org, Polchi Andreas Enge writes: > On Wed, Feb 25, 2015 at 03:00:59PM +0100, Ludovic Court=C3=A8s wrote: >> Andreas Enge skribis: >> > I still think it would be nice to include the signature into the torre= nt. >> It=E2=80=99s probably fine to point to the .sig that=E2=80=99s on alpha.= gnu.org, no? > > Well, it is more a question of education than anything: By including the > signature, downloaders are directly pointed to it. Of course, it can also > be downloaded separately, but this is an additional step. We should make > "the right thing" as easy as possible. If we were to extend this argument to non-torrent downloads, then all of our downloads (source tarballs and images) should be tar files containing a signature bundled with the thing being signed. mit-krb5 follows this policy with their source tarballs. I suppose there can be no arguments on matters of taste, but personally I don't like it. I have some experience with torrents, and I tend to find it annoying when downloads that would naturally be a single file are bundled into a directory with other stuff. For one thing, it means that I can't organize my files as I prefer without keeping the directory name and structure that the torrent creator chose, at least not if I want to facilitate later seeding. My preference would be to keep things as they are now. IMO, it would be better to educate people on how to download and check the detached signature in our installation instructions. That's a lesson that can be used for almost every software package that is signed upstream, which would be far more useful than educating them on some non-standard signature distribution method that hardly anyone uses. Regards, Mark