Download page @Ubuntu.com
Matthew Flaschen
matthew.flaschen at gatech.edu
Sun Dec 17 05:11:07 UTC 2006
Will Simpson wrote:
> Select the "Other installation options" link under the
> mirror of choice. Then scroll down till you see the file listings. At
> the top will be a file called MD5SUMS and it will contain all the
> md5sums for all the images. Here is the one from Walla Walla College
> in Walla Walla Washington.
>
> http://ftp.wwc.edu/pub/mirrors/ubuntu-releases/edgy/MD5SUMS
>
As I just said, the MD5s are at
https://help.ubuntu.com/community/UbuntuHashes . Although this is
editable, which is again *very bad*, it is a secured page. Thus, people
can be sure it is actually on Ubuntu's site (and hope enough people are
watching that page); I now am. An http or ftp site (or any ordinary
TCP/IP transmission) does nothing to guarantee authenticity. Anyone
along the path of your http or ftp data could forge a name server or
simply modify your data outright.
Hashes are supposed to (among other things) allow you to use an insecure
mirror for your data while still being sure it is authentic. If you get
the MD5 from the same source as the data, it is equally dubious. Thus,
for an MD5 to have value you need to get it from an HTTPS page (or other
secure source) of an organization you trust. Few people seem to grasp
this, which means in practice MD5s are often no better than checksums.
Matthew Flaschen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 254 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-doc/attachments/20061217/d6633f8f/attachment.pgp>
More information about the ubuntu-doc
mailing list