Mageia forum

[flink]

I have downloaded the Download Mageia Cauldron netinstall nonfree 64bit for 3 times from 3 different http servers.

Code: Select all

md5sum Mageia-Cauldron-netinstall-nonfree-x86_64.iso
9c36a32fd7e3d48a259571fd75b36300  Mageia-Cauldron-netinstall-nonfree-x86_64.iso


However the website requires this:

Code: Select all

$ # You can also compare checksum directly from this web page without checksum file
$ md5sum Mageia-Cauldron-netinstall-nonfree-x86_64.iso
7ec0ac040903638ef4a457fd77964cd1  Mageia-Cauldron-netinstall-nonfree-x86_64.iso


[sturmvogel]

Download the image and the checksum files directly from the same mirror. They match...
https://ftp-stud.hs-esslingen.de/pub/Mirrors/Mageia/distrib/cauldron/x86_64/install/images/
As the cauldron images changed really fast, the information on the website can't hold the same pace...

Code: Select all

[ich@laptop Mageia 8]$ md5sum -c 'Mageia-Cauldron-netinstall-nonfree-x86_64.iso.md5'
Mageia-Cauldron-netinstall-nonfree-x86_64.iso: OK

[ich@laptop Mageia 8]$ md5sum 'Mageia-Cauldron-netinstall-nonfree-x86_64.iso'
9c36a32fd7e3d48a259571fd75b36300  Mageia-Cauldron-netinstall-nonfree-x86_64.iso




[flink]

Download the image and the checksum files directly from the same mirror. They match...

Isn't this dangerous? The provider of the ISO-image could have modified the LINUX and the checksum file as well.

[sturmvogel]

What? Please think about this question again. Your question implies that Mageia provides manipulated images. This is nonsense. The "provider" of the image is Mageia and all download mirrors get synchronized from the Mageia source mirrors...
The link that i provided is an official download mirror for Mageia distribution.

You can chose another one if you want. Have a look here:
https://mirrors.mageia.org
https://mirrors.mageia.org/report
https://mirrors.mageia.org/status

[flink]

Your question implies that Mageia provides manipulated images. This is nonsense.

No, this does not imply anything from Mageia. The server owner or a hacker of this server is able to generate another IMAGE. This is the reason why a checksum needs to be verified.

[sturmvogel]

If you don't trust the official Mageia mirrors feel free to do what ever you want. You can download from a source mirrror. I provided you already all needed informations in my last post for the Mageia mirror map and so on...but do you trust Mageia mirrors at all?

You are making up a theoretical case. Sure, it is possible that a malicius provider of software (happens sometimes on github or other platforms) provides a malicious software with matching checksums. But there is nothing what you could do. It is common that the software and the checksum file are provided at the same server. And you only compare the checksum of the downloaded image with the checksum file to prevent that the image got manipulated/damaged by a man in the middle or whilst download.
This is nothing special only for Mageia. That is the way how it is done for all linux distributions...

Have another look as example for an openSUSE mirror with images and checksums at the same server:
http://ftp.uni-erlangen.de/opensuse/distribution/leap/15.4/iso/

[doktor5000]

Isn't this dangerous? The provider of the ISO-image could have modified the LINUX and the checksum file as well.

So you will basically never trust any image for which checksums have been provided, because both image and checksums could have been manipulated ?

[doktor5000]

I think that is a valid point, to use checksum from i.e top site, for checking the bulk download from a fast mirror.

Problem with cauldron images is as said that they change frequently...

[doktor5000]

Going by that logic, that same website can also be manipulated ...

[morgano]

Absolutely. And there are more attack vectors too, in different levels of code development, maintenance updating... I remember some time when CD was fresh, a big software provider distributed software with inbuilt virus by mistake... That time no checksum was provided, and if it had been it would probably have been for the infected version...

I just mean the principle of getting checksum from different source is good. Like for certificates, two factor authentification etc.

[mgauser]

On the other hand, having multiple *.iso images with different checksums is at least some variety.