[conspire] [Felton LUG] Fwd: Apple Users Targeted
Paul Zander
paulz at ieee.org
Thu Mar 10 23:08:39 PST 2016
Yes, there are many pages under debian.org and also mirrors that list a collection of files download along with files containing the checksums. However, the prominent link on the main page bypasses the page with the checksums. Rick pointed out how to find the intermediate page that includes the sums. That page is skipped if one just clicks on "Download".
I used to do the checksums routinely, but never had problem with a file that had downloaded, but had errors. So I was getting lax. That is until it was reported that a different website had been hacked and people computers were being infected and one of the precautions should have been to verify the checksum of the download.
From: Dana Goyette <danagoyette at gmail.com>
To: Rick Moen <rick at linuxmafia.com>; "conspire at linuxmafia.com" <conspire at linuxmafia.com>
Sent: Thursday, March 10, 2016 9:20 PM
Subject: Re: [conspire] [Felton LUG] Fwd: Apple Users Targeted
#yiv0213036755 #yiv0213036755 -- _filtered #yiv0213036755 {panose-1:2 4 5 3 5 4 6 3 2 4;} _filtered #yiv0213036755 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}#yiv0213036755 #yiv0213036755 p.yiv0213036755MsoNormal, #yiv0213036755 li.yiv0213036755MsoNormal, #yiv0213036755 div.yiv0213036755MsoNormal {margin:0in;margin-bottom:.0001pt;font-size:11.0pt;}#yiv0213036755 a:link, #yiv0213036755 span.yiv0213036755MsoHyperlink {color:blue;text-decoration:underline;}#yiv0213036755 a:visited, #yiv0213036755 span.yiv0213036755MsoHyperlinkFollowed {color:#954F72;text-decoration:underline;}#yiv0213036755 .yiv0213036755MsoChpDefault {} _filtered #yiv0213036755 {margin:1.0in 1.0in 1.0in 1.0in;}#yiv0213036755 div.yiv0213036755WordSection1 {}#yiv0213036755 I usually use http://mirrors.kernel.org as my main site for downloading CD images. They do list the checksums and signatures quite easily. Also, while typing the URL, I decided to check if they support https – yes, they do! So: https://mirrors.kernel.org From: Rick Moen
Sent: Tuesday, March 8, 2016 11:51 PM
To: conspire at linuxmafia.com
Subject: Re: [conspire] [Felton LUG] Fwd: Apple Users Targeted Quoting Paul Zander (paulz at ieee.org): > So back to my personal project of downloading assorted Linux iso files. > > Finding the checksums sometimes isn't easy. You're right, and it's annoying, and I think we can blame everyone's mania for a simple, drool-proof WebUI: > For example, go to www.debian.org> > In the upper right is a box, "Download Debian 8.3"> > Click on the box and it starts downloading > debian-8.3.0-amd64-i386-netinst.iso> But where is the file with the checksums for that particular file? Not shown anywhere near that soothingly green button, nor even anywhereon that page. The webmonkey in question should be ashamed. It's findable if you know where it _probably is_, which is in the samedirectory tree the ISO is in. If you have years of working aroundstupid webmonkeys the way I do, the subsequent drill is almostautomatic: 1. Where's the download link specifically? Right-click the downloadbutton, to grab the URL. Editify. It's...http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/debian-8.3.0-amd64-i386-netinst.iso Strip off the filename portion, to get the basedir URL. Load that in abrowser. URL is (of course)http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/ . Well, howdy there! Your basic 1993 rivets-and-suspenders Web page witha bunch of too-much-text, a page that haplessly fails to put most-neededstuff on top. A page written by engineers, yay. It's so bad thatoldtimers will feel right at home. And at the bottom it has anApache-autoindex directory listing of files. In other words, theprepended too-much-text stuff was what Apache parsed from a .message (orwhatever it is) file. Below that appears the actual Apache autoindex, which is this (edited slightly for e-mail): Name Last modified Size .. - MD5SUMS 2016-01-24 19:06 70 MD5SUMS.sign 2016-01-24 19:08 819 SHA1SUMS 2016-01-24 19:06 78 SHA1SUMS.sign 2016-01-24 19:08 819 SHA256SUMS 2016-01-24 19:06 102 SHA256SUMS.sign 2016-01-24 19:08 819 SHA512SUMS 2016-01-24 19:06 166 SHA512SUMS.sign 2016-01-24 19:08 819 debian-8.3.0-amd64-i386-netinst.iso 2016-01-23 23:20 556M So, there you go -- an actually excessive selection of checksums, andgpg signatures for each. It's annoying that one is forced to get creative and dig for those, butat least logic, persistence, and lengthy Internet experience _can_ getyou there. I'd say this is the sort of brain damage sadly likely when the onlineculture presses to hide all possible detail: Exactly one operation (in this case, grab the ISO) is made very easy; every other operation ismade harder because artifically invisible. The depressing bit is: In general, Debian Project is better thaneveryone else at consistently providing checksums and verifiablesignatures. And yet, the novice-friendly front-door page for theunderlying files (in this case) goes out of its way to _hide_ all ofthose and present only the ISO. I have no solution, but can sit with you and admire the problem. _______________________________________________conspire mailing listconspire at linuxmafia.comhttp://linuxmafia.com/mailman/listinfo/conspire
_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20160311/0ef1fb22/attachment.html>
More information about the conspire
mailing list