On Thu Apr 26, 2001 at 04:45:56PM -0700, Mark Rafn wrote:
> > I've been asked to post something regarding verifying md5sums for
> > downloaded ISOs, so here goes.
> ...
> > files: Mandrake80-ext.iso, Mandrake80-inst.iso, and md5sums.
> > Make sure all three files are in the same directory and then excute:
> > md5sum -c md5sums
>
> Is this paranoid enough? This will show if someone changed the ISO and
> not the checksum file (or vice versa), but how likely is that? Anyone who
> is able to change the ISO on a given server is also able to change the
> checksum file. It will, of course, spot random download corruption, but
> this is less of an issue than it was back in the day.
Exactly, which is more of the point, I think.
> In order for the md5sums to provide any assurance that this is the file
> released by mandrakesoft, the sum file and the iso files should come from
> different places. Getting them from different mirrors will assure you
> that there's nothing odd with just one mirror operator (though they could
> both be compromised, it's much less likely). If checksums are included in
> an e-mail announcement from the developer, that's even better.
I don't know if there is a place on the website that lists the md5sums
of the ISO's. When I wrote the message I wasn't thinking about levels
of paranoia, obviously. I just illustrated a way in which to do it.
If it isn't available on the website (again, I'm not sure on this),
you can go around and collect md5sum files from a dozen different
servers and run each against the ISOs or just do a diff of each md5sum
against each other and make sure no differences are found.
--
[EMAIL PROTECTED], OpenPGP key available on www.keyserver.net
1024D/FE6F2AFD 88D8 0D23 8D4B 3407 5BD7 66F9 2043 D0E5 FE6F 2AFD
- Danen Consulting Services www.danen.net, www.freezer-burn.org
- MandrakeSoft, Inc. Security www.linux-mandrake.com
Current Linux kernel 2.4.3-20mdk uptime: 1 day 20 hours 37 minutes.
PGP signature