Page 1 of 2
Discuss the 5.2.2 release
Posted: 24. Nov 2017, 16:04
by michael
Discuss the 5.2.2 release here.
You can download the release
here.
Mainly a regression-fix release for 5.2.0.
Re: Discuss the 5.2.2 release
Posted: 24. Nov 2017, 16:44
by mpack
The
main page gives October 24th as the release date of 5.2.2, which is a tad confusing. I had to do several double takes!
Re: Discuss the 5.2.2 release
Posted: 24. Nov 2017, 16:49
by michael
Fixed, thank you (and Michal, who pointed it out too).
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 02:42
by halfervirt
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 06:58
by ChipMcK
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 09:29
by socratis
The problem is that the checksums that ChipMcK gave are over "http" and people that are checking the checksums want them over "https". And in the Downloads page (which is https) the links to the checksums are broken (the links that halfervirt gave). I've had another complaint over the IRC.
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 12:59
by halfervirt
Alright, thanks both. I've upgraded to 5.2.0 for now, and I'll await the 5.2.2 hashes being available over a secure channel.
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 15:20
by mpack
halfervirt wrote:Alright, thanks both. I've upgraded to 5.2.0 for now, and I'll await the 5.2.2 hashes being available over a secure channel.
I'm curious why? The hashes have nothing to do with security, they're about checking whether you have a corrupted download, after you suspect same.
On Windows versions at least, security is provided by digital signatures embedded in the executables, including the installer.
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 18:18
by socratis
mpack wrote:On Windows versions at least, security is provided by digital signatures embedded in the executables, including the installer.
Same on the OSX side about the installer. But I guess that if the download is not from an "https" source, and the SHA256 (minimum) is not available again from an "https" source, some people are having trouble sleeping at night
Re: Discuss the 5.2.2 release
Posted: 25. Nov 2017, 18:24
by mpack
AFAICS the website shouldn't matter. Even if you got the installer off a guy with a barrow down at the fishmarket, the installer can only pass a digital signature check if the code is untouched since Oracle signed it.
Re: Discuss the 5.2.2 release
Posted: 27. Nov 2017, 09:13
by Nickna
mpack wrote:AFAICS the website shouldn't matter. Even if you got the installer off a guy with a barrow down at the fishmarket, the installer can only pass a digital signature check if the code is untouched since Oracle signed it.
You
REALLY should know what you're talking about if you've going to dispense security advice to people. In your scenario, you acquire an installer from a stranger at the fishmarket. Now how are you going to verify that it came from Oracle? By trying to open it? Do you see the problem with that?
Re: Discuss the 5.2.2 release
Posted: 27. Nov 2017, 10:20
by michael
Sorry about that, hashes uploaded.
Re: Discuss the 5.2.2 release
Posted: 27. Nov 2017, 11:08
by mpack
Nickna wrote:
You REALLY should know what you're talking about if you've going to dispense security advice to people.
I'm speaking as someone who
is a developer who digitally signs his own code with a DigiCert EV certificate (requiring a USB key to be present). How about you?
Nickna wrote:
In your scenario, you acquire an installer from a stranger at the fishmarket. Now how are you going to verify that it came from Oracle? By trying to open it?
By using the signature verification tools provided by your OS. This is what the signature is there for. This does not require you to run the suspect executable. If the code has been modified then the digest hash check will fail. Only Oracle can provide an Oracle signature which passes.
Edit: I see that Michael has fixed the hashes problem, and this discussion is off topic (oops), so we had better stop there. |
Re: Discuss the 5.2.2 release
Posted: 28. Nov 2017, 04:16
by RonSMeyer1
No go. Back to 5.1.30. You still can't use 3D acceleration in a Linux guest.
Re: Discuss the 5.2.2 release
Posted: 28. Nov 2017, 05:43
by socratis
@RonSMeyer1
Please don't generalize, not all Linux guests have issues. All of mine are just fine, thank you. If you have a problem with a specific distro/version, please state which one. Don't just throw an "all of them" out there.