[sf-lug] (forw) Re: How to check distro checksums and signatures

Rick Moen rick at linuxmafia.com
Sun Feb 21 18:47:12 PST 2016


Quoting Bobbie Sellers (bliss-sf4ever at dslextreme.com):

>     However in the Linux Mint instance the checksums of the forged
> disks were also hacked so that when you thought you were getting
> the data from the Mint site you were getting it from the forged site.

Not precisely.

Quoting Clem on the blog (http://blog.linuxmint.com/?p=2994):  'What
really helps here is duplication and the community. We were alerted very
fast and we were able to be alerted because people could find
contradicting MD5s (and that’s mostly because the MD5s aren’t just in
one place, but in many).'

This is why I said that checking the mdsums caught the impersonation.  I
didn't want to go into _even longer_ detail about how tampered md5sums
occurred in one place but not in all the others, as my post was too long
and detailed as it stood -- and I figured people wanting all the details
could follow links.

> Even magazines can have bad disks and the creator of the distribution
> will say that the checksum is not supplied with the disk because the
> magazine or other publisher may have altered the supplied material.

In my experience, not only are the CDs/DVDs supplied with magazines and
books often meddled with by the publisher, but also they most often
furnish obsolete software.

Honourable exceptions include the annual CeBIT (international computer
expo / trade fair in Hannover) edition of Knoppix, produced for CeBIT by
Klaus Knopper directly and bundled with the issue of _Linux Magazine_
that covers CeBIT.





More information about the sf-lug mailing list