[conspire] www.debian.org ... upper right is a box, "Download Debian 8.3" ...

[Rick Moen]

Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):

[about my saying four checksums is excessive:]

> Well, not sure about "excessive" :-) 

I'll start with what's maybe a rhetorical question, but maybe not:
Given that the sha512sum was best-of-breed among the four hashes Debian
listed, what was the value proposition of the othr three?  (What we call
a 'sha512sum' aka 'SHA-512' hash is technically an SHA-2 hash of 512 bit
length.)

I'm aware that it takes longest to calculate (because most digits), but 
not even a caffeinated New Yorker is _that_ impatient, so I don't buy
the speed argument.  The old '$MY_OLD_OS doesn't have an implementation'
excuse is lame and, in 2016, more than stretching rhetorical
plausibility, as there's a limit to how much backward compatibility
users of Windows XP SP2 and only can expect in this decade.

I have no respect for 'but md5 is what people expect' and any argument
of that form, either.

So, I'm going to tentatively conclude that the value-add of any of the
other hashes as addenda to the sha512sum is nugatory.


> Well, not sure about "excessive" :-) ... but I grab all the hashes and
> signatures, and validate 'em all ... also pretty straight-forward using
> utility I wrote + teensy wee bit 'o scripting one-liners (for sufficiently
> long lines).  Examples/details at URL I noted further above.

For you, 'I did it because I could, and because automation is my friend,
and all of those hashes happened to be there so why not?'  I don't fault
you for running all that through a shell incantation; no harm in burning
the carbon deposits out of the old silicon engine.  ;->  However, I'm
not convinced those extra hashes actually provided any value that
justified the page's clutter and injury to its goal of presentation
simplicity.

To me as a wary and seasoned user of crypto, those four hashes seem to
say 'Hi, I'm sha512sum, the hash you want to use.  However, I've also
brought along three of my buddies, who are all variously a bit
brain-damaged and offer to do the same job I do, except just not as well
and with increased risk of total failure.'

To the novice, especially the fearful desktop users most susceptible to 
hapless user of trojaned fakeware, the ones we _most_ want to teach 
to check ISOs, IMO each extra bit of difficult-to-justify cruft is a
disincentive to bother with any of it.



> I dunno, I don't find it hard or particularly "invisible". 

Yes, but that's because you're you.  I don't usually extrapolate from
me, either.


> And, putting a bunch 'o links/buttons, rather than just one, would
> likely only confuse the newbies.

False Dilemma Fallacy is leading you astray:  Don't rush to judgement
and never bother to look for third alternatives.

Off the top of my head, imagine the WebUI presents as a 'breadcrumb'
visual framework a three-step process:

  1. Download,  2. Integrity,  3. Authenticity.

Might require going through subpages (or, Ghod help me, use of
Javascript) to nudge the user from 1 to 2 to 3.  But at least the flow 
can be made explicit.  

Cleverly enough done, there's no forest of links/buttons, and only one
part of the process is activated / fully shown at a time.  Moreover, 
there can be 'skip this step' overrides and a '?' link near various
things to display 'What's this thing, how do I work with it, and why do
I care?' text.

Now, it doubtless cannot be made entirely an idiot's delight, because 
some steps manually by the user are both inevitable and Feature Not Bug
material, but -- again, the idea of the three-step process _and why_
can be made _clear_.

The WebUI's stressing of a three-step progression being a routine thing 
is, IMO, the best part of that suggestion.  The download'n'drool habit
of the clicky-clicky people is a deep-seated addiction.  Defeating that
spinal reflex requires presenting a clear, simple alternative way -- and 
coaxing the user into actually doing it (without being fascistic about
that insistence).



Is all of the above a pain in the neck for WebUI implementers?
Certainly!  That's why the smart move would be to solve it once and then
make that available as a reusable chunk that can be hauled out whenever
anyone needs public download pages where security matters.


  E.g. add a button for signature file ... oh, and
> one for the hash file that's signed, ... oh, wait, Debian, done 4
> different ways - from md5 through sha512 ... so ... that'd be 9 buttons now.
> Oh, wait, need a 10th button to download the key, oh, and an 11th to go to
> something that explains it all ... uhm, ... yeah, ... one button much better.

> And, all that .message text or the like?  Doesn't particularly bother me.

Didn't say it bothered me, either.  I was just '1994 called and wants
its autoindex page back.'  In other words, charmingly retro and clumsy,
like your nephew borrowing your old bellbottoms and tripping over the
flared thingies.


> So, I find it a pretty darn good - or even excellent - design, and a
> good reasonable compromise.

Such a geek.  (As is the guy I shave.)  As TVtropes.org puts it,
'adorkable'.  ;->



> WTF.  Maybe time to give up on Ubuntu.

Not always the biggest fan, myself.  Which is why I look out for, and
appreciate, the things they do well (so I'm not unfair about this).  
Like, there's some Ubuntu docs, say, for weird hardware problems, that I
really admire.  As a class, pages at Arch Wiki leave theirs (and most
others) in the dust, but one should give credit where due.


> Can maybe do $ 0, but really, have to adjust 5 sliders all the way to
> the left to do that?  Pay with PayPal?

Ubuntu beg-a-thon-ing is low-level obnoxious, and a bit cheeky considering
how very little they ship that's not upstream-with-no-improvements, but
I've seen a lot worse.  Perhaps you remember the 24x7 March of Dimes
telethon that was MandrakeSoft.

Both that and noted tax-dodger Canonical, Ltd. being profit-making
private companies constantly talking like they're selfless public
servants deserving a direct tap into our bank accounts.  But that's a
different rant entirely.



> Eh, I don't think it goes that out of its way to hide the information and
> signatures/hashes ... at least not compared to some other distributions
> (and some don't even provide such and/or make it damn near impossible to
> find them).

Like you, I love Debian best.  But therefore I want them to lead the way
and do not just a good job but a brilliant one.