/!\ Beware sourceforge
#1
Since Sourceforge is now considered corrupted (see articles on the internet), I suggest we :
- either leave them (but given the size of ac that could mean bandwidth problem, so I understand if we don't)
- either put the SHA 512 checksum (https://en.wikipedia.org/wiki/Cryptograp...r_messages) of the file in the download section

Second option seems the best. It's easy and would avoid the temptation of sourceforce putting some malicious code into the game archives.


Problems I see :
- are checksums easily accessible in windows (I use Unix and I have no idea) ?
- must not forget to update the checksum with the game version available for ddl (although that can certainly be automated)
Thanks given by:
#2
When you download the game, the name of the file on SourceForge is named "AssaultCube (has moved to Github)".
Thanks given by:
#3
But the binaries are on sf... Do you expect the average user to build the game themself ?
Thanks given by:
#4
http://winmd5.com/
Thanks given by:
#5
MD5 is broken... https://en.wikipedia.org/wiki/Md5#Security

But yea I guess there are plenty of tools.

(should be included by default tho... aah, windos)
Thanks given by:
#6
SHA is the way to go.
Thanks given by:
#7
SHA256 or more, SHA1 being broken too lol.
Thanks given by:
#8
My bad. I jumped directly to "Problems" section.
Thanks given by:
#9
SHA1 isn't _broken_ broken, it has a known "theoretical weakness", and is as of now still secure in practice. Even MD5 works in practice unless someone with funding from a multinational megacorp or a nation-state is out to get you, which I doubt is the case with AC. I'm definitely not advocating MD5 though, but SHA1 is still fine.

No SHA1 collisions (even artificially produced) are known to exist, and it's widely enough used to be a safe common denominator (Microsoft's own file checker tool, for example, only does MD5 and SHA1 AFAIK), so a SHA1 checksum should probably be included at least for those users.
Thanks given by:
#10
https://www.schneier.com/blog/archives/2...roken.html

It's breakable by anybody having a "little" money... We don't know who controls sourceforge. And today, cloud computing is quite easily available. No need to get paranoid, but as a common matter of principle, let's avoid them.

And anyway, we don't need to worry when using sha256 isn't more complicated.
Thanks given by:
#11
(19 Aug 15, 06:38PM)damien Wrote: We don't know who controls sourceforge.

Dice Holdings, Inc: https://en.wikipedia.org/wiki/SourceForge
Thanks given by:
#12
who controls sha256? sha-ception
Thanks given by:
#13
(19 Aug 15, 06:38PM)damien Wrote: https://www.schneier.com/blog/archives/2...roken.html

It's breakable by anybody having a "little" money... We don't know who controls sourceforge. And today, cloud computing is quite easily available. No need to get paranoid, but as a common matter of principle, let's avoid them.

And anyway, we don't need to worry when using sha256 isn't more complicated.
That's old news. That is the theoretical vulnerability that I mentioned. 10 years later, there are still no practical attacks that work for SHA1, even if you have a "little" money. And anyway, it's no extra effort to include SHA1 hash for those who don't have the tools for other hashes.
Thanks given by:
#14
edit
Thanks given by: