[Numpy-discussion] Verify your sourceforge windows installer downloads
Peter Cock
p.j.a.cock at googlemail.com
Thu May 28 10:00:38 EDT 2015
Migrating from SourceForge seems worth considering. I also
agree this is a breach of trust with the open source community.
It is my impression that the GIMP team stopped using SF for
downloads some time ago in favour of using their own website,
leaving the SF account live to maintain the old release downloads:
https://mail.gnome.org/archives/gimp-developer-list/2015-May/msg00098.html
According to the SourceForge blog, they assumed the "GIMP for
Windows" account was abandoned, and it appears SF decided
to make some money off it as a mirror site offering adware-bundled
versions of the official releases:
http://sourceforge.net/blog/gimp-win-project-wasnt-hijacked-just-abandoned/
We would not want the same thing to happen to NumPy, but on
the other hand deleting all the old releases on SourceForge
would break a vast number of installation scripts/recipes.
Peter
On Thu, May 28, 2015 at 2:35 PM, David Cournapeau <cournape at gmail.com> wrote:
> IMO, this really begs the question on whether we still want to use
> sourceforge at all. At this point I just don't trust the service at all
> anymore.
>
> Could we use some resources (e.g. rackspace ?) to host those files ? Do we
> know how much traffic they get so estimate the cost ?
>
> David
>
> On Thu, May 28, 2015 at 9:46 PM, Julian Taylor
> <jtaylor.debian at googlemail.com> wrote:
>>
>> hi,
>> It has been reported that sourceforge has taken over the gimp
>> unofficial windows downloader page and temporarily bundled the
>> installer with unauthorized adware:
>> https://plus.google.com/+gimp/posts/cxhB1PScFpe
>>
>> As NumPy is also distributing windows installers via sourceforge I
>> recommend that when you download the files you verify the downloads
>> via the checksums in the README.txt before using them. The README.txt
>> is clearsigned with my gpg key so it should be safe from tampering.
>> Unfortunately as I don't use windows I cannot give any advice on how
>> to do the verifcation on these platforms. Maybe someone familar with
>> available tools can chime in.
>>
>> I have checked the numpy downloads and they still match what I
>> uploaded, but as sourceforge does redirect based on OS and geolocation
>> this may not mean much.
>>
>> Cheers,
>> Julian Taylor
>> _______________________________________________
>> NumPy-Discussion mailing list
>> NumPy-Discussion at scipy.org
>> http://mail.scipy.org/mailman/listinfo/numpy-discussion
>
>
>
> _______________________________________________
> NumPy-Discussion mailing list
> NumPy-Discussion at scipy.org
> http://mail.scipy.org/mailman/listinfo/numpy-discussion
>
More information about the NumPy-Discussion
mailing list