diff options
Diffstat (limited to 'www/download.html')
| -rw-r--r-- | www/download.html | 172 |
1 files changed, 113 insertions, 59 deletions
diff --git a/www/download.html b/www/download.html index fd2b2b1..a850390 100644 --- a/www/download.html +++ b/www/download.html @@ -1,12 +1,14 @@ -<?xml version="1.0" encoding="utf-8" ?> -<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> +<!DOCTYPE html> +<html lang="en"> <head> -<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> -<meta name="generator" content="Docutils 0.16: http://docutils.sourceforge.net/" /> -<title>GraphicsMagick Download</title> -<link rel="stylesheet" href="docutils-articles.css" type="text/css" /> + <meta charset="utf-8"> + <meta content="en" name="language"> + <title>GraphicsMagick Download</title> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <link media="screen" href="docutils-articles.css" type="text/css" rel="stylesheet"> + </head> + <body> <div class="banner"> @@ -19,6 +21,7 @@ </form> </div> + <div class="navmenu"> <ul> <li><a href="index.html">Home</a></li> @@ -32,18 +35,29 @@ <li><a href="reference.html">Reference</a></li> </ul> </div> + <div class="document" id="graphicsmagick-download"> <h1 class="title">GraphicsMagick Download</h1> - <!-- -*- mode: rst -*- --> <!-- This text is in reStucturedText format, so it may look a bit odd. --> <!-- See http://docutils.sourceforge.net/rst.html for details. --> <div class="contents local topic" id="contents"> <ul class="simple"> -<li><a class="reference internal" href="#download-sites" id="id1">Download Sites</a></li> -<li><a class="reference internal" href="#verifying-the-download" id="id2">Verifying The Download</a><ul> -<li><a class="reference internal" href="#using-a-pgp-key" id="id3">Using a PGP key</a></li> -<li><a class="reference internal" href="#using-a-sha-256-or-sha-1-checksum" id="id4">Using a SHA-256 or SHA-1 checksum</a></li> +<li><p><a class="reference internal" href="#download-sites" id="id1">Download Sites</a></p></li> +<li><p><a class="reference internal" href="#download-formats" id="id2">Download Formats</a></p> +<ul> +<li><p><a class="reference internal" href="#tar-gz" id="id3">tar.gz</a></p></li> +<li><p><a class="reference internal" href="#tar-bz2" id="id4">tar.bz2</a></p></li> +<li><p><a class="reference internal" href="#tar-xz" id="id5">tar.xz</a></p></li> +<li><p><a class="reference internal" href="#tar-zst" id="id6">tar.zst</a></p></li> +<li><p><a class="reference internal" href="#tar-lz" id="id7">tar.lz</a></p></li> +<li><p><a class="reference internal" href="#z" id="id8">7z</a></p></li> +</ul> +</li> +<li><p><a class="reference internal" href="#verifying-the-download" id="id9">Verifying The Download</a></p> +<ul> +<li><p><a class="reference internal" href="#using-a-pgp-key" id="id10">Using a PGP key</a></p></li> +<li><p><a class="reference internal" href="#using-a-sha-256-or-sha-1-checksum" id="id11">Using a SHA-256 or SHA-1 checksum</a></p></li> </ul> </li> </ul> @@ -51,68 +65,109 @@ <div class="section" id="download-sites"> <h1><a class="toc-backref" href="#id1">Download Sites</a></h1> <p>The source distribution of GraphicsMagick as well as pre-compiled -binaries may be downloaded from the <a class="reference external" href="http://sourceforge.net/projects/graphicsmagick/files/">SourceForge Download</a> page. +binaries may be downloaded from the <a class="reference external" href="https://sourceforge.net/projects/graphicsmagick/files/">SourceForge Download</a> page. This is also where 'snapshot' distribution archives may be found.</p> -<p>Until recently (December, 2021) GraphicsMagick provided its own ftp -site for downloads but this has been disabled due to abusive download -practices (by using it as the primary download site) and because -support for FTP has been removed from popular browsers. This is -unfortunate since the same site also provided PNG-related files and a -libtiff mirror. The ftp site directory tree continues to exist and -will be maintained. If you are an administrator of a high-bandwidth -ftp or https mirror site and would like to provide a GraphicsMagick -mirror, please contact <a class="reference external" href="mailto:bfriesen%40graphicsmagick.org">Bob Friesenhahn</a> and we will work something -out.</p> +</div> +<div class="section" id="download-formats"> +<h1><a class="toc-backref" href="#id2">Download Formats</a></h1> +<p>The GraphicsMagick source files may be available in several different +archive formats:</p> +<div class="section" id="tar-gz"> +<h2><a class="toc-backref" href="#id3">tar.gz</a></h2> +<p>This is a POSIX <a class="reference external" href="https://en.wikipedia.org/wiki/Tar_(computing)">tar</a> file compressed using the legacy GNU gzip format ('gz' +extension) by Jean-loup Gailly and Mark Adler. Gzip is available from +<a class="reference external" href="https://www.gzip.org/">https://www.gzip.org/</a>. Gzip is the the most readily available +compressor on the planet.</p> +</div> +<div class="section" id="tar-bz2"> +<h2><a class="toc-backref" href="#id4">tar.bz2</a></h2> +<p>This is a POSIX <a class="reference external" href="https://en.wikipedia.org/wiki/Tar_(computing)">tar</a> file compressed using the legacy bzip2 format ('bz2' +extension) by Julian Seward. Bzip2 is available from <a class="reference external" href="http://sourceware.org/bzip2/">http://sourceware.org/bzip2/</a>.</p> +</div> +<div class="section" id="tar-xz"> +<h2><a class="toc-backref" href="#id5">tar.xz</a></h2> +<p>This is a POSIX <a class="reference external" href="https://en.wikipedia.org/wiki/Tar_(computing)">tar</a> file compressed using XZ Utils ('xz' extension) by +Lasse Collin starting with Igor Pavlov's LZMA-SDK. XZ Utils is +available from <a class="reference external" href="https://tukaani.org/xz/">https://tukaani.org/xz/</a>. XZ Utils is very popular and +readily available.</p> +</div> +<div class="section" id="tar-zst"> +<h2><a class="toc-backref" href="#id6">tar.zst</a></h2> +<p>This is a POSIX <a class="reference external" href="https://en.wikipedia.org/wiki/Tar_(computing)">tar</a> file compressed using Facebook's Zstandard format +('zst' extension) by Yann Collet. Zstd is available from +<a class="reference external" href="https://facebook.github.io/zstd/">https://facebook.github.io/zstd/</a>. While Zstd is not yet popular for +source archive distribution, it is supported by Automake and GNU tar, +and its compression ratio is very good.</p> +</div> +<div class="section" id="tar-lz"> +<h2><a class="toc-backref" href="#id7">tar.lz</a></h2> +<p>This is a POSIX <a class="reference external" href="https://en.wikipedia.org/wiki/Tar_(computing)">tar</a> file compressed using Lzip ('lz' extension). +Lzip is available from <a class="reference external" href="https://lzip.nongnu.org/lzip.html">https://lzip.nongnu.org/lzip.html</a>. In our +experience, Lzip produces the smallest source archive files and uses a +compact and portable implementation (as compared with 'xz', which is +its primary competitor).</p> +</div> +<div class="section" id="z"> +<h2><a class="toc-backref" href="#id8">7z</a></h2> +<p>This is a 7-Zip archive file ('7z' extension) by Igor Pavlov. 7-Zip +is available from <a class="reference external" href="https://www.7-zip.org/">https://www.7-zip.org/</a>. This format is used for the +Microsoft Windows sources since 7-Zip is much more widely available +under Windows than 'tar' is.</p> +</div> </div> <div class="section" id="verifying-the-download"> -<h1><a class="toc-backref" href="#id2">Verifying The Download</a></h1> +<h1><a class="toc-backref" href="#id9">Verifying The Download</a></h1> <div class="section" id="using-a-pgp-key"> -<h2><a class="toc-backref" href="#id3">Using a PGP key</a></h2> +<h2><a class="toc-backref" href="#id10">Using a PGP key</a></h2> <p>GraphicsMagick is software which runs on a computer, and if its code (source or binary code) was subtly modified (perhaps on the download server, or modified after download), it could do almost anything! Due -to this, it is useful to verify the download before you use it.</p> +to this, it is useful to verify the download before you use it. This +is especially important if you are preparing binaries for others to +use.</p> <p>Distributed packages may be verified (both for integrity and origin) using GnuPG (gpg). GnuPG is normally provided as a package for your operating system (often already installed), or may be downloaded from <a class="reference external" href="https://gnupg.org/download/">https://gnupg.org/download/</a>. The installed program on your system might be named 'gpg', 'gpg2', or 'gpg1'.</p> <p>The signing key used (currently DSA key id -EBDFDB21B020EE8FD151A88DE301047DE1198975) may be downloaded from a -public key server like:</p> -<pre class="literal-block"> -gpg --recv-keys EBDFDB21B020EE8FD151A88DE301047DE1198975 -</pre> -<p>or it may be extracted from +EBDFDB21B020EE8FD151A88DE301047DE1198975) may be downloaded in several +different ways.</p> +<p>The key may be downloaded directly from +<a class="reference external" href="http://www.simplesystems.org/users/bfriesen/public-key.txt">http://www.simplesystems.org/users/bfriesen/public-key.txt</a>, or it may +be extracted from the text of <a class="reference external" href="http://www.graphicsmagick.org/security.html">http://www.graphicsmagick.org/security.html</a>.</p> -<p>If extracting the key from the web page, (rather than using a key -server) to obtain the key, then copy the entire block of text -including the all of the "BEGIN" and "END" lines to a file -(e.g. <cite>gm-sigs.asc</cite>) and import it into your collection of keys. For -example:</p> -<pre class="literal-block"> -gpg --import gm-sigs.asc -</pre> +<p>It may be also downloaded from a public key server (if you are lucky) +like:</p> +<pre class="literal-block">gpg --recv-keys EBDFDB21B020EE8FD151A88DE301047DE1198975</pre> +<p>however, there are known dangers to your keystore if the keys on the +public key server have been spammed.</p> +<p>If extracting the key from the +<a class="reference external" href="http://www.graphicsmagick.org/security.html">http://www.graphicsmagick.org/security.html</a> web page, then copy the +entire block of text including the all of the "BEGIN" and "END" lines +to a file (e.g. <cite>gm-sigs.asc</cite>).</p> +<p>If you have chosen to download the public key to a file +(e.g. <cite>gm-sigs.asc</cite>) you can import it into your collection of keys. +For example:</p> +<pre class="literal-block">gpg --import gm-sigs.asc</pre> <p>After importing the key, you can easily verify any GraphicsMagick -distribution file with an associated ".sig" file (requires downloading -two files) by doing this:</p> -<pre class="literal-block"> -gpg --verify GraphicsMagick-1.3.37.tar.xz.sig -</pre> +distribution file with an associated ".sig" (binary OpenPGP format +signature) or ".asc" (ASCII armored format signature) file. The +distribution file and a signature file must be +downloaded. Verification is performed by doing this:</p> +<pre class="literal-block">gpg --verify GraphicsMagick-1.3.40.tar.xz.sig GraphicsMagick-1.3.40.tar.xz</pre> <p>and you should see output similar to:</p> -<pre class="literal-block"> -gpg: assuming signed data in 'GraphicsMagick-1.3.37.tar.xz' +<pre class="literal-block">gpg: assuming signed data in 'GraphicsMagick-1.3.40.tar.xz' gpg: Signature made Sun Dec 12 15:30:02 2021 CST gpg: using DSA key EBDFDB21B020EE8FD151A88DE301047DE1198975 gpg: Good signature from "Bob Friesenhahn <bfriesen@simple.dallas.tx.us>" [ultimate] gpg: aka "Bob Friesenhahn <bfriesen@simplesystems.org>" [ultimate] gpg: aka "Bob Friesenhahn <bfriesen@graphicsmagick.org>" [ultimate] gpg: aka "Bob Friesenhahn <bobjfriesenhahn@gmail.com>" [ultimate] -gpg: aka "[jpeg image of size 4917]" [ultimate] -</pre> +gpg: aka "[jpeg image of size 4917]" [ultimate]</pre> </div> <div class="section" id="using-a-sha-256-or-sha-1-checksum"> -<h2><a class="toc-backref" href="#id4">Using a SHA-256 or SHA-1 checksum</a></h2> +<h2><a class="toc-backref" href="#id11">Using a SHA-256 or SHA-1 checksum</a></h2> <p>While verifying distribution files using GnuPG is by far the most secure way to validate a release file, you may find SHA-256 or SHA-1 checksums in a distribution release announcement (e.g. from the @@ -120,25 +175,24 @@ graphicsmagick-announce list at <a class="reference external" href="https://sourceforge.net/p/graphicsmagick/mailman/graphicsmagick-announce/">https://sourceforge.net/p/graphicsmagick/mailman/graphicsmagick-announce/</a> which you <em>should</em> subscribe to). In this case you may do this for a SHA-256 checksum:</p> -<pre class="literal-block"> -sha256sum GraphicsMagick-1.3.37.tar.xz -</pre> -<p>and this for a SHA-1 checksum:</p> -<pre class="literal-block"> -sha1sum GraphicsMagick-1.3.37.tar.xz -</pre> +<pre class="literal-block">sha256sum GraphicsMagick-1.3.40.tar.xz</pre> +<p>and this for a SHA-1 (legacy) checksum:</p> +<pre class="literal-block">sha1sum GraphicsMagick-1.3.40.tar.xz</pre> <p>and then compare the generated checksum (hex format) with the checksum provided in the release announcement. While this is much more secure than doing nothing, it does not fully defend against forgery. If someone is able to forge a modified release archive as well as a -release announcment, then you could be duped!</p> +release announcement, then you could be duped!</p> </div> </div> </div> + <hr class="docutils"> <div class="document"> - <p><a href="Copyright.html">Copyright</a> © GraphicsMagick Group 2002 - 2022<!--SPONSOR_LOGO--></p> + <p><a href="Copyright.html">Copyright</a> © GraphicsMagick Group 2002 - 2023<!--SPONSOR_LOGO--></p> +</div> + </div> </body> </html> |