when i download a linux distro's iso...
a md5sum or sha1sum file is present in the download directory(index of directory)...
i wish to know..what they indicate...
and what is the use of such files??
would there be any problem if md5sums files are not present for each iso????????

The checksums (md5sum, sha1sum, ...) are there so you can check that the file you downloaded is good/ok. If there is a problem with the file (i.e. at least one bit of it has changed for some reason from the original), the calculated checksum differs, usually a lot, and does not match the given checksum (which is in the MD5SUM or SHA1SUM or similar file). Thus you know the file is not good and can re-get it. So basically you are given the "known good" sum, you calculate the sum from your own copy and compare them. If the file is given, you don't need to compare the sums manually, but just feed the file to the checksum-calculating program and (typically) it also checks it for you. For example
will check all the files mentioned in MD5SUM file (calculate their md5sums), then compare those calculated sums to the ones in the MD5SUM file. If they match, the file(s) is (are) probably good and it says "OK". Otherwise you're told the sums don't match.

So in short you don't need those sums, they're just a way for you to see if your files are probably right, or definitely not right.

md5sum produces a hash; this particular algorithm is popular because it has properties which are useful for checking data integrity. A hash is a non-unique sequence produced by operating on a sequence of bits (a number or a string). Some types of hashes are used to help sort or locate information, but md5sum is used for checking data. md5sum can give that non-unique 'fingerprint' to a very large file; to reproduce the same hash result you will have to make many changes and most likely even need to change the size of the file. This makes the md5sum a very good tool for checking that the *.iso file that you downloaded is an exact copy of the file on the remote site. You just look at the published md5 hash and then compare it to what you get when you do: md5sum whatever.iso

yah...
that was very helpful.
thanx guys

Hi,

You can always 'man command' such as 'man md5sum' to get a better understanding.

Let's take a 20-megabyte file... pick one... and do an md5sum (say...) on that file.

Now, go back and change "just one lousy bit." Pick any one of the 160-million bits...

Whoa! The result of "md5sum" for the changed file is completely different! It's not just "a wee bit different," but rather, not-at-all the same.

And that, my friend, is precisely what algorithms like "md5" are for. The slightest difference between two files, i.e. the slightest error in copying or downloading, even "just one bit out of 120 million," is immediately recognizable because it produces a completely different result.

Verdict: if the value does not match exactly what you have been told to expect, download again.

Incidentally... cryptographic systems like "gpg" allow you to take this idea one step further: they produce a "digital signature" for a file that cannot be forged. They enable you to verify, not only that the file was correctly downloaded, but that the file you downloaded was in fact the one, byte-for-byte, that the publisher intended to provide.

Hi,

That same thought should be applied to a burnt image of the downloaded iso. I've see to many posts with that being the problem. A lot of people assume the burn is OK. You should compare the burnt image with the original md5sum to confirm the burn is OK.

yah
that is a really notable point

Hi,

The md5sum is posted by the author/team for the file in question. Most reliable sites do provide the hash for the downloadable file.