[conspire] (forw) Re: Help installing ubuntu? Creating a bootable USB drive

Rick Moen rick at linuxmafia.com
Thu Jun 28 22:58:46 PDT 2018


Quoting Elise Scher (elise.scher01 at gmail.com):

> Hi Rick,
>     Where are these checksums published, please?

They are typically -- and should be -- published right alongside the ISOs,
in _some_ fashion.   Some distros are better about this (providing the
checksums and making them reasonably findable) than others.
Often, you find a distro makes them obscure or (in a few bad cases) not
published at the download location, at all.

Ubuntu is not the worst, in that sense, but not good, either.

Start at https://www.ubuntu.com/, pick link 'Downloads'.  Follow the
path of least resistance (as most novices do) and pick the top link on
the 'Ubuntu downloads' page, the one for 'Ubuntu Desktop'.  On the
resulting page, there's a prominent green button marked 'Download'.
_Zero_ wording there about existence of checksums right alongside the
ISOs, or reason (and means) to check them.

_Below_ the prominent green button:

   For other versions of Ubuntu Desktop including torrents, the 
   network installer, a list of local mirrors, and past releases 
   see our alternative downloads.  

Link goes to https://www.ubuntu.com/download/alternative-downloads .  
On that page, _still_ nothing about checksums.  Keep reading, blah
blah blah; eventually you reach 

  Other images and mirrors

Wording (omitted here) discourages following the link, tries to direct
you back to the default download page.  But, if you ignore that, you
see the next line:

  See all Ubuntu mirrors  

which is a link, going to https://launchpad.net/ubuntu/+cdmirrors ,
a big list of international Ubuntu mirror sites.  Under USA, you might
pick one such as 'Kernel.org'.  Its http link goes to
http://mirrors.us.kernel.org/ubuntu-releases/ .  Here are listed Ubuntu
releases, by name and release number.

Your typically Ubuntu target user will bail here (if not before), having
no idea which branch name or number is current.  (Ubuntu home page
doesn't highlight this information.)  FYI, current Long Term Support
release is Ubuntu 18.04 LTS 'Bionic Beaver'.

Aspiring Ubuntu user could pick '18.04/' or (equivalently) 'bionic/' on
http://mirrors.us.kernel.org/ubuntu-releases/.  Then, _finally_ user sees a
page like http://mirrors.us.kernel.org/ubuntu-releases/18.04/ , which has:

../
FOOTER.html                                        26-Apr-2018 20:59 27
HEADER.html                                        27-Apr-2018 00:54 2334
MD5SUMS                                            30-Apr-2018 18:10 134
MD5SUMS-metalink                                   26-Apr-2018 21:00 144
MD5SUMS-metalink.gpg                               26-Apr-2018 21:00 916
MD5SUMS.gpg                                        30-Apr-2018 18:10 916
SHA1SUMS                                           30-Apr-2018 18:10 150
SHA1SUMS.gpg                                       30-Apr-2018 18:10 916
SHA256SUMS                                         30-Apr-2018 18:10 198
SHA256SUMS.gpg                                     30-Apr-2018 18:10 916
ubuntu-18.04-desktop-amd64.iso                     26-Apr-2018 18:44 2G
ubuntu-18.04-desktop-amd64.iso.torrent             26-Apr-2018 20:58 72K
ubuntu-18.04-desktop-amd64.iso.zsync               26-Apr-2018 20:58 4M
ubuntu-18.04-desktop-amd64.list                    26-Apr-2018 18:44 8084
ubuntu-18.04-desktop-amd64.manifest                26-Apr-2018 18:40 53K
ubuntu-18.04-desktop-amd64.metalink                26-Apr-2018 21:00 45K
ubuntu-18.04-live-server-amd64.iso                 26-Apr-2018 19:48 806M
ubuntu-18.04-live-server-amd64.iso.torrent         26-Apr-2018 20:59 32K
ubuntu-18.04-live-server-amd64.iso.zsync           26-Apr-2018 20:59 2M
ubuntu-18.04-live-server-amd64.list                26-Apr-2018 19:49 8192
ubuntu-18.04-live-server-amd64.metalink            26-Apr-2018 21:00 47K



If you click on 'MD5SUMS', you see:

129292a182136a35e1f89c586dbac2e2 *ubuntu-18.04-desktop-amd64.iso
e35f45caf1d26ed5b1217d67f6ee86e8 *ubuntu-18.04-live-server-amd64.iso

If you select 'SHA1SUMS', you see:

f373c0aec6162cdba76ee9084e695866a15e441a *ubuntu-18.04-desktop-amd64.iso
0b3490de9839c3918e35f01aa8a05c9ae286fc94 *ubuntu-18.04-live-server-amd64.iso

If you select 'SHA256SUMS', you see:

55353d837cbf7bc006cf49eeff05ae5044e757498e30643a9199b9a25bc9a34 *ubuntu-18.04-desktop-amd64.iso
7a1c2966f82268c14560386fbc467d58c3fbd2793f3b1f657baee609b80d39a8 *ubuntu-18.04-live-server-amd64.iso


So, those are the published MD5, SHA1, and SHA56 checksums for the two 
ISO files in the same directory.  After download, you use a
checksum-calculating tool to check against one of those.  (MD5, SHA1,
and SMA256 are all hashing aka digest algorithms,  SHA256 has the fewest
known flaws among them, but all are good enough for this.)


Pretty ridiculously obscure, weren't they?  You basically had to know
they exist and hunt them down, or you would be unlikely to notice them
or learn why they're important.

Sadly, this 'make important stuff like checksums non-obvious' thing is
now all too common.  Even Debian does it, so it's hardly just Ubuntu.


Postscript:

Honestly, there's another set of files accompanying those that are about
as important, for a different reason:

MD5SUMS.gpg                                        30-Apr-2018 18:10 916
SHA1SUMS.gpg                                       30-Apr-2018 18:10 916
SHA256SUMS.gpg                                     30-Apr-2018 18:10 916

These are PGP (gpg, Gnu Privacy Guard) cryptographic signatures for the
three checksum files.  Strictly speaking, in addition to verifying
download integrity against one of the checksums, it would be a great
idea to also verify _authenticity_ of the checksum files, assuming you
have a copy of Ubuntu's signing key.  But that's another subject.


> Thanks,
> Elise Scher
> 
> On Thu, Jun 28, 2018, 20:06 Rick Moen <rick at linuxmafia.com> wrote:
> 
> > Quoting Michael Gray (michaelcgray at gmail.com):
> >
> > > Hi. Thank you for the invite. I think I solved my present problem, or am
> > on
> > > the way to the solution. The problem was not with the installation per
> > se,
> > > but with downloading the software to create a bootable USB stick.
> >
> > Thanks, I've learned something:  A bad ISO file download produces
> > symptoms similar to that of a permissions problem.  But this also
> > highlights my point that it's never a bad idea, immediately after
> > downloads of such disk-image files, to verify their integrity against
> > published md5, sha1, sha256 (etc.) checksums, before attempting to write
> > them to bootable media.
> >
> >
> > > Christian was right, defining the problem helped me see the solution.
> >
> > Always a worthwhile point!
> >
> > --
> > Cheers,              "I am a member of a civilization (IAAMOAC).  Step back
> > Rick Moen            from anger.  Study how awful our ancestors had it, yet
> > rick at linuxmafia.com  they struggled to get you here.  Repay them by
> > appreciating
> > McQ! (4x80)          the civilization you inherited."           -- David
> > Brin
> >
> > _______________________________________________
> > conspire mailing list
> > conspire at linuxmafia.com
> > http://linuxmafia.com/mailman/listinfo/conspire
> >

> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire





More information about the conspire mailing list