[conspire] [Felton LUG] Fwd: Apple Users Targeted

Paul Zander paulz at ieee.org
Wed Mar 9 08:26:42 PST 2016


Thanks.  I now have verified that the files downloaded match the published check sums.



________________________________
From: Rick Moen <rick at linuxmafia.com>
To: conspire at linuxmafia.com 
Sent: Tuesday, March 8, 2016 11:50 PM
Subject: Re: [conspire] [Felton LUG] Fwd: Apple Users Targeted


Quoting Paul Zander (paulz at ieee.org):

> So back to my personal project of downloading assorted Linux iso files. 
> 
> Finding the checksums sometimes isn't easy.

You're right, and it's annoying, and I think we can blame everyone's 
mania for a simple, drool-proof WebUI:

> For example, go to www.debian.org
> 
> In the upper right is a box, "Download Debian 8.3"
> 
> Click on the box and it starts downloading 
>   debian-8.3.0-amd64-i386-netinst.iso
> But where is the file with the checksums for that particular file?

Not shown anywhere near that soothingly green button, nor even anywhere
on that page.  The webmonkey in question should be ashamed.

It's findable if you know where it _probably is_, which is in the same
directory tree the ISO is in.  If you have years of working around
stupid webmonkeys the way I do, the subsequent drill is almost
automatic:

1.  Where's the download link specifically?  Right-click the download
button, to grab the URL.  Editify.  It's...
http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/debian-8.3.0-amd64-i386-netinst.iso

Strip off the filename portion, to get the basedir URL.  Load that in a
browser.  URL is (of course)
http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/ .

Well, howdy there!  Your basic 1993 rivets-and-suspenders Web page with
a bunch of too-much-text, a page that haplessly fails to put most-needed
stuff on top.  A page written by engineers, yay.  It's so bad that
oldtimers will feel right at home.  And at the bottom it has an
Apache-autoindex directory listing of files.  In other words, the
prepended too-much-text stuff was what Apache parsed from a .message (or
whatever it is) file.  

Below that appears the actual Apache autoindex, which is this (edited 
slightly for e-mail):

Name                                Last modified      Size  
..                                                      -  
MD5SUMS                             2016-01-24 19:06   70  
MD5SUMS.sign                        2016-01-24 19:08  819  
SHA1SUMS                            2016-01-24 19:06   78  
SHA1SUMS.sign                       2016-01-24 19:08  819  
SHA256SUMS                          2016-01-24 19:06  102  
SHA256SUMS.sign                     2016-01-24 19:08  819  
SHA512SUMS                          2016-01-24 19:06  166  
SHA512SUMS.sign                     2016-01-24 19:08  819  
debian-8.3.0-amd64-i386-netinst.iso 2016-01-23 23:20  556M 

So, there you go -- an actually excessive selection of checksums, and
gpg signatures for each.


It's annoying that one is forced to get creative and dig for those, but
at least logic, persistence, and lengthy Internet experience _can_ get
you there.

I'd say this is the sort of brain damage sadly likely when the online
culture presses to hide all possible detail:  Exactly one operation 
(in this case, grab the ISO) is made very easy; every other operation is
made harder because artifically invisible.

The depressing bit is:  In general, Debian Project is better than
everyone else at consistently providing checksums and verifiable
signatures.  And yet, the novice-friendly front-door page for the
underlying files (in this case) goes out of its way to _hide_ all of
those and present only the ISO.

I have no solution, but can sit with you and admire the problem.



_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire




More information about the conspire mailing list