FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu User

 
 
LinkBack Thread Tools
 
Old 04-24-2008, 05:43 PM
Florin Andrei
 
Default 8.04 md5sums

Mario Vukelic wrote:
>
> If someone has compromised the iso on the server, he will also have
> uploaded the accompanying md5sum

Yes, that's straight from the Captain Obvious textbook, but in the field
of security, the "all or nothing" way of thinking does not get you too
far. At some point, you have to trust something.

Are the MD5 sums that I posted on the list trustworthy? Not so much.

Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
Are they 100% trustworthy? No.

Are there any MD5 sums more trustworthy than those on the mirrors?
(e.g., MD5 sums on the ubuntu.com website)
If yes, use them.
If not, you have to trust the MD5 sums on the mirrors.

If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.

So you have to stop somewhere and accept that 100% certainty simply does
not exist. Just make the choice that is best for the current situation.

In most cases for the average user, MD5 sums files from a mirror hosted
by a large company or university should be trustworthy enough. If you
compare them with MD5s from other mirrors, hosted by independent
entities, and they match, they become more trustworthy. (and yes,
they're not 100% safe even then - obligatory note to stop nitpicking)

--
Florin Andrei

http://florin.myip.org/

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 06:29 PM
Mario Vukelic
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 10:43 -0700, Florin Andrei wrote:
> Yes, that's straight from the Captain Obvious textbook, but in the field
> of security, the "all or nothing" way of thinking does not get you too
> far. At some point, you have to trust something.

Yes, but the question is what.

> Are the MD5 sums that I posted on the list trustworthy? Not so much.
>
> Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
> Are they 100% trustworthy? No.

True

> Are there any MD5 sums more trustworthy than those on the mirrors?
> (e.g., MD5 sums on the ubuntu.com website)
> If yes, use them.
> If not, you have to trust the MD5 sums on the mirrors.

But if you want to protect against a compromised iso on a particular
server, /every/ other server is a better choice to get the md5sum. And

> If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.

See above. And I, personally, trust Ubuntu's own server admins more
than most others.

> So you have to stop somewhere and accept that 100% certainty simply does
> not exist. Just make the choice that is best for the current situation.

Which, whatever it actually is, is /never/ to get the md5sum from the
same server as the iso.


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 09:45 PM
R Kimber
 
Default 8.04 md5sums

On Thu, 24 Apr 2008 19:26:02 +0200
Mario Vukelic wrote:

> On Thu, 2008-04-24 at 18:16 +0100, R Kimber wrote:
> >
> > Actually, it's not so much a question of trust as one of the
> > likelihood that my download is the same as what's on the server.
>
> If someone has compromised the iso on the server, he will also have
> uploaded the accompanying md5sum

As I tried to say, I'm not looking to the md5sum to guarantee security,
only that the download process has worked properly, so that the file I
get is the same as the file on the server.

- Richard.
--
Richard Kimber
http://www.psr.keele.ac.uk/

--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 09:52 PM
Mario Vukelic
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 22:45 +0100, R Kimber wrote:
> As I tried to say, I'm not looking to the md5sum to guarantee
> security, only that the download process has worked properly, so that
> the file I get is the same as the file on the server.

I understood that, and I still think it's a bad idea:

1. You should always check that the iso wasn't tampered with
2. By using the md5sum from another server, you get your desired
check that the download worked fine, and you get another level
of confidence in the integrity of the iso for free



--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 10:06 PM
Rick Bragg
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 10:43 -0700, Florin Andrei wrote:
> Mario Vukelic wrote:
> >
> > If someone has compromised the iso on the server, he will also have
> > uploaded the accompanying md5sum
>
> Yes, that's straight from the Captain Obvious textbook, but in the field
> of security, the "all or nothing" way of thinking does not get you too
> far. At some point, you have to trust something.
>
> Are the MD5 sums that I posted on the list trustworthy? Not so much.
>
> Are the MD5 sums on the mirrors more trustworthy than mine? Usually yes.
> Are they 100% trustworthy? No.
>
> Are there any MD5 sums more trustworthy than those on the mirrors?
> (e.g., MD5 sums on the ubuntu.com website)
> If yes, use them.
> If not, you have to trust the MD5 sums on the mirrors.
>
> If there are any MD5 sums on ubuntu.com, are _those_ 100% trustworthy? No.
>
> So you have to stop somewhere and accept that 100% certainty simply does
> not exist. Just make the choice that is best for the current situation.
>
> In most cases for the average user, MD5 sums files from a mirror hosted
> by a large company or university should be trustworthy enough. If you
> compare them with MD5s from other mirrors, hosted by independent
> entities, and they match, they become more trustworthy. (and yes,
> they're not 100% safe even then - obligatory note to stop nitpicking)
>
> --
> Florin Andrei
>
> http://florin.myip.org/
>


Look, the heck with all the chat... all I want to know is why are they
not yet here at: https://help.ubuntu.com/community/UbuntuHashes
or for that matter anywhere at https://xxxxx.ubuntu.com/xxxxxxxx

When will the be there? Why are they not there at the same time as the
downloads?

rick




--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 10:18 PM
Mario Vukelic
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 22:06 +0000, Rick Bragg wrote:
> Look, the heck with all the chat... all I want to know is why are
> they
> not yet here at: https://help.ubuntu.com/community/UbuntuHashes
> or for that matter anywhere at https://xxxxx.ubuntu.com/xxxxxxxx
>
> When will the be there? Why are they not there at the same time as the
> downloads?


According to https://answers.launchpad.net/ubuntu/+question/30642 (easy
find on Google) they are at http://releases.ubuntu.com/hardy/ but I
can't get through atm


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 10:40 PM
Karl Larsen
 
Default 8.04 md5sums

Mario Vukelic wrote:
> On Thu, 2008-04-24 at 22:06 +0000, Rick Bragg wrote:
>
>> Look, the heck with all the chat... all I want to know is why are
>> they
>> not yet here at: https://help.ubuntu.com/community/UbuntuHashes
>> or for that matter anywhere at https://xxxxx.ubuntu.com/xxxxxxxx
>>
>> When will the be there? Why are they not there at the same time as the
>> downloads?
>>
>
>
> According to https://answers.launchpad.net/ubuntu/+question/30642 (easy
> find on Google) they are at http://releases.ubuntu.com/hardy/ but I
> can't get through atm
>
>
>
I think your all missing the boat. The md5sum is a way to increase
the probability that the software on that mirror is the same as the
master. But before you go looking for it Download the software and see
if it works. I have been 100% lucky. I have 2 LiveCD's that loaded my
computer and I have no idea what the md5sum is and care not the least :-)

If your download doesn't work a check will be against the sum and
such things. But as a rule the problem is the Nut behind the wheel.


Karl


--

Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
PGP 4208 4D6E 595F 22B9 FF1C ECB6 4A3C 2C54 FE23 53A7


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 10:52 PM
Mario Vukelic
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 16:40 -0600, Karl Larsen wrote:
> I think your all missing the boat. The md5sum is a way to increase
> the probability that the software on that mirror is the same as the
> master.

Nobody disputed that

> But before you go looking for it Download the software and see
> if it works. I have been 100% lucky.

Why would I waste a blank CD and some of my time to find out that the
download was botched if I can just check the md5sum?

> I have 2 LiveCD's that loaded my
> computer and I have no idea what the md5sum is and care not the least :-)
> If your download doesn't work a check will be against the sum and
> such things. But as a rule the problem is the Nut behind the wheel.

Other things can happen than just erroneous downloads, even to Debian
who certainly know what they do, not even to speak about bittorrent.
http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 10:53 PM
Mario Vukelic
 
Default 8.04 md5sums

On Thu, 2008-04-24 at 22:06 +0000, Rick Bragg wrote:
> all I want to know is why are they
> not yet here at: https://help.ubuntu.com/community/UbuntuHashes
^^^^^^^^^^

BTW, this is a page that is edited by the community, not an "official"
Ubuntu page. (Yes, I find this confusing, too)


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 
Old 04-24-2008, 11:29 PM
Karl Larsen
 
Default 8.04 md5sums

Mario Vukelic wrote:
> On Thu, 2008-04-24 at 16:40 -0600, Karl Larsen wrote:
>
>> I think your all missing the boat. The md5sum is a way to increase
>> the probability that the software on that mirror is the same as the
>> master.
>>
>
> Nobody disputed that
>
>
>> But before you go looking for it Download the software and see
>> if it works. I have been 100% lucky.
>>
>
> Why would I waste a blank CD and some of my time to find out that the
> download was botched if I can just check the md5sum?
>
>
>> I have 2 LiveCD's that loaded my
>> computer and I have no idea what the md5sum is and care not the least :-)
>> If your download doesn't work a check will be against the sum and
>> such things. But as a rule the problem is the Nut behind the wheel.
>>
>
> Other things can happen than just erroneous downloads, even to Debian
> who certainly know what they do, not even to speak about bittorrent.
> http://lists.debian.org/debian-devel-announce/2006/07/msg00003.html
>
>
>
What does bittorrent have to do with sum?


Karl


--

Karl F. Larsen, AKA K5DI
Linux User
#450462 http://counter.li.org.
PGP 4208 4D6E 595F 22B9 FF1C ECB6 4A3C 2C54 FE23 53A7


--
ubuntu-users mailing list
ubuntu-users@lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
 

Thread Tools




All times are GMT. The time now is 06:10 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org