Greetings,

Some of you might be aware that the instructions for verifying our *-CHECKSUM files on Windows have been broken since we moved to SHA256. Previously, we linked users to a sha1sum.exe built by the GnuPG project¹. With SHA256, we don't have that ability.

There is an open bug to provide a sha256sum.exe which we can point to for Windows who don't have any other tools to verify SHA256 checksums².

Packages are ready and referenced in bug 527060³. The idea is to build these packages in koji, though not for inclusion in any Fedora release (as the packages are mostly a bit of a hack to build a small subset of coreutils for Windows).

What I'm wondering about is what do we need to do in order to ensure GPL compliance here? Knowing that will help me move this forward with the folks on the infrastructure team.

We discussed this a bit on the infrastructure list⁴ a month back, though the discussion got off on a few tangents. I'd like to revive it and I think that having some insight from the legal team will help. Bruno Wolff III had some interesting questions regarding GPL compliance and MingW binaries at the end of the infra-list thread⁵.

Thanks for any help and guidance!

¹ http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.... ² https://bugzilla.redhat.com/show_bug.cgi?id=527060 ³ https://bugzilla.redhat.com/show_bug.cgi?id=527060#c14 ⁴ http://www.redhat.com/archives/fedora-infrastructure-list/2009-November/msg0... ⁵ http://www.redhat.com/archives/fedora-infrastructure-list/2009-November/msg0...