LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-12-2007, 02:59 AM   #1
andy.l
Member
 
Registered: Feb 2007
Location: Scandinavia
Distribution: Fedora Core 6/Ubuntu 6.10
Posts: 93

Rep: Reputation: 15
Question verifying downloaded ISOs


Hi

I'm going to download my first iso's to install a new machine with Linux. I've normally used cd's from variouse Linux magazines, but thought I should to it all from scratch this time and download as well.
I see that all ISO also have a file with the md5sums or sha1sums for the ISO images. How important is it to actually check the ISOs against the md5sums? I know that it's a nice way to verify that the ISO are right, but from a security point of view, how important is it to do that?
This verifications, is it something everyone is doing, or is it only for a few specially interested?

/Andy
 
Old 02-12-2007, 03:04 AM   #2
billymayday
LQ Guru
 
Registered: Mar 2006
Location: Sydney, Australia
Distribution: Fedora, CentOS, OpenSuse, Slack, Gentoo, Debian, Arch, PCBSD
Posts: 6,678

Rep: Reputation: 122Reputation: 122
Given that it only takes a few seconds to do the checksum, and if nothing else will tell you if the download worked properly, I don't see why you wouldn't
 
Old 02-12-2007, 03:07 AM   #3
MS3FGX
LQ Guru
 
Registered: Jan 2004
Location: NJ, USA
Distribution: Slackware, Debian
Posts: 5,852

Rep: Reputation: 356Reputation: 356Reputation: 356Reputation: 356
Technically you should always be checking the MD5 sums, to make sure you got a good download. But with technology as it is today, getting a corrupted download is less and less likely.

From a security standpoint, it is both good and bad. On one hand it is good because you can verify that the file you downloaded is the one you wanted, but on the other hand, anyone can post the MD5 sum for a file. Unless you are getting the MD5 sum from the official website, who is to say that it is legitimate?

For instance, if you were downloading a program from a mirror, and it turns out this particular file was a fake and actually contained a trojan, you would never know from the MD5 sums. The site that is hosting the fake file is just going to put up the correct MD5 sum, and lure you into a false sense of security since it is going to match.

If you are using the MD5 sums with security in mind, you MUST make sure you check the sum from the official site of the distribution/software. Don't just go by the MD5 posted on the site you downloaded it from.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Verifying Archives onelung02 Linux - Software 1 06-26-2006 12:23 PM
I downloaded the Suse 10 torrent, ISOs don't burn correctly - Please help Contriver SUSE / openSUSE 17 10-09-2005 05:15 AM
Verifying CD's Caysho Linux - General 1 12-24-2004 09:14 PM
I've Downloaded 3 Fedora ISOs, Now What Do I Do? zahrul Linux - Newbie 9 04-16-2004 08:21 AM
re: verifying integrity of downloaded rh9 rpms ergo_sum Linux - Newbie 2 12-19-2003 01:34 PM


All times are GMT -5. The time now is 06:46 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration