[conspire] www.debian.org ... upper right is a box, "Download Debian 8.3" ...

Michael Paoli Michael.Paoli at cal.berkeley.edu
Fri Mar 11 02:14:52 PST 2016


> Date: Thu, 10 Mar 2016 21:20:09 -0800
> From: Dana Goyette <danagoyette at gmail.com>
> To: Rick Moen <rick at linuxmafia.com>, 	"conspire at linuxmafia.com"
> 	<conspire at linuxmafia.com>
>
> I usually use http://mirrors.kernel.org as my main site for  
> downloading CD images.  They do list the checksums and signatures  
> quite easily.  Also, while typing the URL, I decided to check if  
> they support https ? yes, they do!  So: https://mirrors.kernel.org

Nice ... not a panacea at all, but supporting, or also supporting
https, generally a good thing (e.g. generally reduce probability of
Man-In-The-Middle attacks - though it may not do much else).

> From: Rick Moen
> Sent: Tuesday, March 8, 2016 11:51 PM
> To: conspire at linuxmafia.com
>
> Quoting Paul Zander (paulz at ieee.org):
>
>> So back to my personal project of downloading assorted Linux iso files.
>>
>> Finding the checksums sometimes isn't easy.

Yes, very annoying how for some distributions they're difficult to find -
or even missing entirely.  And more importantly, some don't have
signature file(s) for their ISO(s) or of secure hash(es) thereof.
I'm not favorably impressed by distributions that can't bother to
well provide a good, or at least semi-reasonable, trust path to
their ISO(s).

> You're right, and it's annoying, and I think we can blame everyone's
> mania for a simple, drool-proof WebUI:
>
>> For example, go to www.debian.org
>>
>> In the upper right is a box, "Download Debian 8.3"

Now I actually rather quite like how that one's done ... but more on that
in a bit ...

>> Click on the box and it starts downloading
>>   debian-8.3.0-amd64-i386-netinst.iso
>> But where is the file with the checksums for that particular file?
>
> Not shown anywhere near that soothingly green button, nor even anywhere
> on that page.  The webmonkey in question should be ashamed.
>
> It's findable if you know where it _probably is_, which is in the same
> directory tree the ISO is in.  If you have years of working around
> stupid webmonkeys the way I do, the subsequent drill is almost
> automatic:

Exactly, however I find that trivially easy to do without even so much as
giving it a second thought.  Unlike some other big distributions,
that have much more ewey GUI clicky web goop and JavaScript, etc. in
manner that makes it much more difficult (but not impossible) to find
the relevant signature files (e.g. like on a big Debian derivative  
distribution
that starts with the letter after T in sequence if one's using ASCII  
or LC_ALL=C).

So, I find it very handy - copy/examine the URL - but almost never have
need/reason to directly download it from that URL, I may use an HTTP
HEAD request to snag the Last-Modified header (following redirects as
needed), to use that as basis for mtime of ISO file I assemble, and I
then typically, likewise strip off the bits after the last / in the
URL, use lynx -dump to get the paths of the hash and signature files,
download and validate those, and then walk the web directories to pull
what else I'm interested in - typically jigdo stuff to make newer images
from older images/files I already have, and torrent file(s) to seed after
I've validated image(s).  Some related bits about this were discussed
in fair bit of detail earlier on some threads on the SF-LUG list
(notably validation, and a certain distribution having their site
compromised, and having signature files that were somewhere between
non-existent and damn near impossible to find - and no, or no
easily findable trust path to their ISOs).
I also gave example here of my typical validating, etc.:
http://linuxmafia.com/pipermail/sf-lug/2016q1/011745.html

Anyway, I find the way Debian has done that to be a nice compromise ...
all the data and signatures quite easily findable - just navigate from
the URL in quite customary way - and that handy link not only handy for
impatient newbies that want a simple click, and mostly wouldn't want
to bother to validate even if they were quite told how to and how important
and where to get the data to validate (newbies often want dead simple
and are impatient) - one simple clear link to a most appropriate
ISO - and covering both "i386" & amd64, covers the most commonly
used architectures.  And for those that have a clue and/or are
more interested, simple enough to navigate relative to that URL,
or, "simply" (though maybe too scary/complex for many newbies)
navigate Debian's menus below, to get to whatever download(s) one
desires, and lots of helpful information along the way to figure out
what download(s) one is likely interested in, and also all the signature
and hash files also readily available alongside all those too.

> 1.  Where's the download link specifically?  Right-click the download
> button, to grab the URL.  Editify.  It's...
> http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/debian-8.3.0-amd64-i386-netinst.iso
>
> Strip off the filename portion, to get the basedir URL.  Load that in a
> browser.  URL is (of course)
> http://cdimage.debian.org/debian-cd/8.3.0/multi-arch/iso-cd/ .
>
> Well, howdy there!  Your basic 1993 rivets-and-suspenders Web page with
> a bunch of too-much-text, a page that haplessly fails to put most-needed
> stuff on top.  A page written by engineers, yay.  It's so bad that
> oldtimers will feel right at home.  And at the bottom it has an
> Apache-autoindex directory listing of files.  In other words, the
> prepended too-much-text stuff was what Apache parsed from a .message (or
> whatever it is) file.
>
> Below that appears the actual Apache autoindex, which is this (edited
> slightly for e-mail):
>
> Name                                Last modified      Size
> ..                                                      -
> MD5SUMS                             2016-01-24 19:06   70
> MD5SUMS.sign                        2016-01-24 19:08  819
> SHA1SUMS                            2016-01-24 19:06   78
> SHA1SUMS.sign                       2016-01-24 19:08  819
> SHA256SUMS                          2016-01-24 19:06  102
> SHA256SUMS.sign                     2016-01-24 19:08  819
> SHA512SUMS                          2016-01-24 19:06  166
> SHA512SUMS.sign                     2016-01-24 19:08  819
> debian-8.3.0-amd64-i386-netinst.iso 2016-01-23 23:20  556M
>
> So, there you go -- an actually excessive selection of checksums, and
> gpg signatures for each.

Well, not sure about "excessive" :-) ... but I grab all the hashes and
signatures, and validate 'em all ... also pretty straight-forward using
utility I wrote + teensy wee bit 'o scripting one-liners (for sufficiently
long lines).  Examples/details at URL I noted further above.

> It's annoying that one is forced to get creative and dig for those, but
> at least logic, persistence, and lengthy Internet experience _can_ get
> you there.
>
> I'd say this is the sort of brain damage sadly likely when the online
> culture presses to hide all possible detail:  Exactly one operation
> (in this case, grab the ISO) is made very easy; every other operation is
> made harder because artifically invisible.

I dunno, I don't find it hard or particularly "invisible".  And, putting
a bunch 'o links/buttons, rather than just one, would likely only
confuse the newbies.  E.g. add a button for signature file ... oh, and
one for the hash file that's signed, ... oh, wait, Debian, done 4
different ways - from md5 through sha512 ... so ... that'd be 9 buttons now.
Oh, wait, need a 10th button to download the key, oh, and an 11th to go to
something that explains it all ... uhm, ... yeah, ... one button much better.
And, all that .message text or the like?  Doesn't particularly bother me.
Sure, they could just stick it in a README file or such.  But wouldn't
surprise me if they've run the stats, and end up with better results and
fewer "dumb" questions with that .message or whatever it is - header
text ... more probable to be read (or at least skimmed or noticed) by
the newbie, as opposed to just putting in a README file and without displaying
such information at (moderate) length at top.  So, I find it a pretty darn
good - or even excellent - design, and a good reasonable compromise.  (It was
only some moderate number of years back where Debian added that one simple
upper-right link button to that download - and I'd guess also they likely
quite debated the matter before reaching conclusion on that).

Let's see ... compared to some *other* distribution ... go to main page ...
and there's, not quite as highlighted, a "Download" link at the top ...
but there's a whole lot 'o others too, like "Cloud" and "IoT" ... gee,
what kind'a operating system or ISOs would those be?  Yeah, may be a
bit more confusing to the newbie.  So, maybe they know they want to
download some Ubuntu thing, so click or hover over "Download" with a
typical browser ... Oh My ... decisions, decisions - can simply click
it, or there's *seven* choices one can pick in a drop-down.
"flavours"?  Do they offer Chocolate, vanilla, and strawberry?  What do
flavors have to do with "Download" and Ubuntu?  and "flavours" and not
"flavors"?  Are they going to force me to use British (or Aussie, or ...)
English?  So, let's just click "Download" ... well, there's a bunch 'o
stuff, but prominent towards top, big button icon that looks like download
and it mentions download and desktop, guess maybe I want that, 'cause also
the other stuff sounds kind'a scary ... server?  Cloud?  More 'o that
non-US "flavours" stuff?  I'll just click that big down-arrow download
looking thingy.  But "of course", hovering over it with browser, no clue
what that will do - doesn't display a URL.  Of course, me, I use browser to
inspect and see what clicking on it does or likely does ... and it's some
rather complex HTML with lots 'o goop ... dear knows what a click does,
but newbie is too accepting of that, and just clicks, and ... that does
apparently absolutely nothing ... move mouse around, to right it
says "Ubuntu Desktop" - and that looks to be a link (and yes, does display
URL), so ... click that ... now gotta pick Ubuntu 14.04.4 LTS or Ubuntu 15.10.
Yikes, more decisions.  Well, at least they have bit of text description, and
well, newbie would probably go with the top one ... top one also does
say in bold "Recommended for most users".  There's also a small font link
that says, "release notes", but what kind'a notes, and who or what would
release what kind'a notes to who or what and why?  Yeah, we don't know if we
even notice, so we ignore that.  There's big button to right that says
"Download".  Above it is a drop-down labled "flavour" - more non-US English,
click the drop-down arrow - no "flavor", so will Ubuntu force us to stick
with non-US English?  That might mess up our editing.  (here we see an example
where distributions that use "distribution" or "spin" don't have the
complications of US vs. non-US English in that basic wording) ...
so, peek at the drop-down - has only 2 options - our default, and the
32-bit - for machines with less than 2GB RAM.  Well, that one doesn't
say "recommended", and my computer is like 40G (hard drive) or more,
so we just click Download button ... oh, and can't tell what the URL for
that is by hovering mouse over it or right clicking.  If we use inspect ...
yeah, dear knows, looks like it submits some kind'a form.  Ugh.  Okay, so
newbie ... we just click it ... and ... I thought this sh*t was *free*, now
they're pestering me to give 'em money ... it says "Your contribution $ 15",
and is that pounds, or Euros, or dollars, or some kind'a Aussie  
dollars, or ???
WTF.  Maybe time to give up on Ubuntu.  Can maybe do $ 0, but really, have to
adjust 5 sliders all the way to the left to do that?  Pay with PayPal?
I don't even have PayPal, but I get plenty of spam about it.  If I click
will I get more of that spam?  Is this like "begware" or "shareware" software
I heard about that's gonna continually and repeatedly pester me for (more)
money after I've downloaded it?  That stuff's free too, right?
Uhm, do I really want to download it?  Uhm, whatever, let's say we proceed ...
if it messes up the computer like Microsoft Windows does and fills itself with
viruses, I can just leave it sit out on the street by the curb, right?
Oh, wait, there's a teensy weensy small font link to the left that says
"Not now, take me to the download".  Dang, I was scared.  Is that
like many of the sites that have like fake download buttons all over
'em, and you have to find the teensy little link to the thing you
actually want to download?  Well, let's click that teensy link.
Oh, and yes, hovering over it, or right clicking, do have a URL:
http://www.ubuntu.com/download/desktop/thank-you/?version=14.04.4&architecture=amd64
Of course that doesn't exactly look like a filename.
What if we strip off everything after that last /
... Uhm, yeah, that thanks us for our contribution ... damn, did they  
take money
out of my PayPal account anyway?  Sh*t.  I better tell PayPal ... or at least
check my PayPal account.  Uhm, so *where* are those signature (and hash)
files?  Okay, in fairness, yes, they *are* findable, but significantly
more difficult to find / navigate to, compared to Debian.  And as to which is
the better newbie experience - at least to and through the initial download?
(yes, that's a rhetorical question)

> The depressing bit is:  In general, Debian Project is better than
> everyone else at consistently providing checksums and verifiable
> signatures.  And yet, the novice-friendly front-door page for the
> underlying files (in this case) goes out of its way to _hide_ all of
> those and present only the ISO.

Eh, I don't think it goes that out of its way to hide the information and
signatures/hashes ... at least not compared to some other distributions
(and some don't even provide such and/or make it damn near impossible to
find them).  E.g. compare how many steps to get to signature file(s)
from the site's main page ... Debian, about two, Ubuntu ... about three
if one knows / remembers / has discovered the most efficient path to
there (hint: Alternative downloads), otherwise a bit more, Mint ...
uhm, yeah, right ... good luck ... maybe they'll get around to
fixing that some day.

Caveat: Debian is by far my favorite distribution, so an itty bitty  
teens weensy
bit 'o bias might'a snuck in.





More information about the conspire mailing list