[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Bug-wget] metalink for wget releases & tests

From: Anthony Bryan
Subject: Re: [Bug-wget] metalink for wget releases & tests
Date: Thu, 3 Dec 2015 11:41:50 -0500

On Thu, Dec 3, 2015 at 4:53 AM, Darshit Shah <address@hidden> wrote:
> On 12/02, Anthony Bryan wrote:
>> thanks everybody for your work on the last release!
>> I'm biased but I think some of the metalink features are very cool &
>> helpful for automating things some people might be too lazy to do,
>> like hash or signature verification.
>> & very timely, (not to be too paranoid) but companies & whole
>> governments are doing MITM attacks, potentially making HTTPS useless
>> and signatures even more useful.
>> I was looking at the 2 metalink tests in /testenv
>> (Test-metalink-http.py, Test-metalink-xml.py) & thinking that it could
>> be a useful test to have wget download it's source release with a
>> metalink (hosted at
>> https://ftp.gnu.org/gnu/wget/wget-1.17.tar.xz.metalink , and including
>> a hash & signature) & then test those hash & signature features if
>> they are available. I guess most tests use the local test FTP/HTTP
>> server, so I don't know if any involve actual downloads?
> Our test suite was made to work entirely locally. It does not access the
> network, since the tests may be run on a machine with no network
> connectivity.
> However, we could implement these features within the local test suite
> itself. Would having to download over the network be such an important
> thing?

no, just that the functionality is tested is the important part (I saw
the invalid signature in Test-metalink-http.py), so just testing one
with a valid signature seems like a good step.

I just thought it would be cool for wget to be able to download itself
& check the signature, kind of like a compiler that can compile itself

>> (alternatively, the metalinks for the curl releases at
>> http://curl.haxx.se/download.html also have signatures, but I don't
>> know if that would be rude or not).
>> I also think having the compiled features listed when you do 'wget
>> --version' listing '+metalink +gpgme' might quickly help to show that
>> these features are available.
> Attached a patch to do this. Should have been done long ago, guess no one
> else noticed it.

great! thanks so much!

(( Anthony Bryan ... Metalink [ http://www.metalinker.org ]
  )) Easier, More Reliable, Self Healing Downloads

reply via email to

[Prev in Thread] Current Thread [Next in Thread]