[conspire] [Felton LUG] Fwd: Apple Users Targeted

Rick Moen rick at linuxmafia.com
Tue Mar 8 23:50:04 PST 2016 

Quoting Paul Zander (paulz at ieee.org):

> So back to my personal project of downloading assorted Linux iso files. 
> 
> Finding the checksums sometimes isn't easy.

You're right, and it's annoying, and I think we can blame everyone's 
mania for a simple, drool-proof WebUI:

> For example, go to www.debian.org
> 
> In the upper right is a box, "Download Debian 8.3"
> 
> Click on the box and it starts downloading 
>   debian-8.3.0-amd64-i386-netinst.iso
> But where is the file with the checksums for that particular file?

Not shown anywhere near that soothingly green button, nor even anywhere
on that page.  The webmonkey in question should be ashamed.

It's findable if you know where it _probably is_, which is in the same
directory tree the ISO is in.  If you have years of working around
stupid webmonkeys the way I do, the subsequent drill is almost
automatic:

1.  Where's the download link specifically?  Right-click the download
button, to grab the URL.  Editify.  It's...
http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/debian-8.3.0-amd64-i386-netinst.iso

Strip off the filename portion, to get the basedir URL.  Load that in a
browser.  URL is (of course)
http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/ .

Well, howdy there!  Your basic 1993 rivets-and-suspenders Web page with
a bunch of too-much-text, a page that haplessly fails to put most-needed
stuff on top.  A page written by engineers, yay.  It's so bad that
oldtimers will feel right at home.  And at the bottom it has an
Apache-autoindex directory listing of files.  In other words, the
prepended too-much-text stuff was what Apache parsed from a .message (or
whatever it is) file.  

Below that appears the actual Apache autoindex, which is this (edited 
slightly for e-mail):

Name                                Last modified      Size  
..                                                      -   
MD5SUMS                             2016-01-24 19:06   70   
MD5SUMS.sign                        2016-01-24 19:08  819   
SHA1SUMS                            2016-01-24 19:06   78   
SHA1SUMS.sign                       2016-01-24 19:08  819   
SHA256SUMS                          2016-01-24 19:06  102   
SHA256SUMS.sign                     2016-01-24 19:08  819   
SHA512SUMS                          2016-01-24 19:06  166   
SHA512SUMS.sign                     2016-01-24 19:08  819   
debian-8.3.0-amd64-i386-netinst.iso 2016-01-23 23:20  556M 

So, there you go -- an actually excessive selection of checksums, and
gpg signatures for each.


It's annoying that one is forced to get creative and dig for those, but
at least logic, persistence, and lengthy Internet experience _can_ get
you there.

I'd say this is the sort of brain damage sadly likely when the online
culture presses to hide all possible detail:  Exactly one operation 
(in this case, grab the ISO) is made very easy; every other operation is
made harder because artifically invisible.

The depressing bit is:  In general, Debian Project is better than
everyone else at consistently providing checksums and verifiable
signatures.  And yet, the novice-friendly front-door page for the
underlying files (in this case) goes out of its way to _hide_ all of
those and present only the ISO.

I have no solution, but can sit with you and admire the problem.

More information about the conspire mailing list