important question, checksums, mirror sites
-
- White ninja
- Posts: 16
- Joined: 05 Oct 2015, 13:58
- Distribution: Porteus, Lubuntu
- Location: Slovakia
important question, checksums, mirror sites
Hi folks, i have minor oh, important question........
at the first i want say i dont speak about original porteus files and modules but about i484, x86_64 item in forum where can i download packages or any user.
i see that some peoples put here precompiled packages, and mirror sites i know that any user can download it and try, use it but are this packages trusted? some people are from porteus and are ok but have i can know this packages are clean?
there are not md5, sha256 checksums or truested sources
i vote for publish original binary source files from witch this packages are created
like when i want publish etc. text editor GEANY package then publish too
original binary what i using
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.txz
and checksum too
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.md5
what do you think about this?
at the first i want say i dont speak about original porteus files and modules but about i484, x86_64 item in forum where can i download packages or any user.
i see that some peoples put here precompiled packages, and mirror sites i know that any user can download it and try, use it but are this packages trusted? some people are from porteus and are ok but have i can know this packages are clean?
there are not md5, sha256 checksums or truested sources
i vote for publish original binary source files from witch this packages are created
like when i want publish etc. text editor GEANY package then publish too
original binary what i using
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.txz
and checksum too
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.md5
what do you think about this?
-
- Full of knowledge
- Posts: 2564
- Joined: 25 Jun 2014, 15:21
- Distribution: 3.2.2 Cinnamon & KDE5
- Location: London
Re: important question, checksums, mirror sites
Normally do this. Please see as example: http://forum.porteus.org/viewtopic.php? ... 10e#p51557
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB
-
- Full of knowledge
- Posts: 2070
- Joined: 17 Jun 2013, 13:17
- Distribution: Porteus 3.2.2 XFCE 32bit
- Location: Germany
Re: important question, checksums, mirror sites
Hi luko
First of all, i understand your concerns.
But the truth is, as long as one does not read the source code
-- and understand what this code does --
one has to trust the maintainer, no matter where you got the package from.
If you install a linux distribution, containing hundreds of packages...you have to trust.
Otherwise install wireshark on a 2nd PC and observe from the Outside what your PC is doing.
(sending / receiving)
And if you don't trust me, i won't trust you either..
First of all, i understand your concerns.
But the truth is, as long as one does not read the source code
-- and understand what this code does --
one has to trust the maintainer, no matter where you got the package from.
If you install a linux distribution, containing hundreds of packages...you have to trust.
Otherwise install wireshark on a 2nd PC and observe from the Outside what your PC is doing.
(sending / receiving)
And if you don't trust me, i won't trust you either..
Re: important question, checksums, mirror sites
donald wrote:If you install a linux distribution, containing hundreds of packages...you have to trust.
http://blog.linuxmint.com/?p=2994
-
- Full of knowledge
- Posts: 2070
- Joined: 17 Jun 2013, 13:17
- Distribution: Porteus 3.2.2 XFCE 32bit
- Location: Germany
Re: important question, checksums, mirror sites
^
is known....
Does not change the statement,...proves only that trust can also be abused.
is known....
Does not change the statement,...proves only that trust can also be abused.
Re: important question, checksums, mirror sites
donald wrote:^
is known....
Does not change the statement,...proves only that trust can also be abused.
So you just carry on without an official sha256 checksum even when trust is proven to be broken.
-
- Full of knowledge
- Posts: 2070
- Joined: 17 Jun 2013, 13:17
- Distribution: Porteus 3.2.2 XFCE 32bit
- Location: Germany
Re: important question, checksums, mirror sites
^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol
compile a source twice, you will get two different checksums
Debian is on the way to establish reproducible builds. That would be a step forward.
EDIT
One can take some precautions.
a) get your packages from official repo
b) compile by yourself
(Not a big advantage if you did not understand the source and also built a compiler yourself)
c) download from people which have a good reputation (to loose).
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol
compile a source twice, you will get two different checksums
Debian is on the way to establish reproducible builds. That would be a step forward.
EDIT
One can take some precautions.
a) get your packages from official repo
b) compile by yourself
(Not a big advantage if you did not understand the source and also built a compiler yourself)
c) download from people which have a good reputation (to loose).
Re: important question, checksums, mirror sites
Sites like Mint now release the checksums off site across multiple places for people to cross reference , so the hacker would have to instantly hack each mirror at release for all the hacked copys to match.donald wrote:^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol
-
- Full of knowledge
- Posts: 2070
- Joined: 17 Jun 2013, 13:17
- Distribution: Porteus 3.2.2 XFCE 32bit
- Location: Germany
Re: important question, checksums, mirror sites
Well, i'm totally relaxed
There are a lot of good, reliable people out there which do really know what goes on
and if a software would behave suspicious it would be observed and reported very quickly.
Software has and will always have security gaps.
To use these is much "quieter" and more discreet.
You know the motto of "Backtrack"?:
-- The quieter you are the more you hear --
Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....
You see, in regards to linux software used on Home PCs I am in no way worried.
There are a lot of good, reliable people out there which do really know what goes on
and if a software would behave suspicious it would be observed and reported very quickly.
Software has and will always have security gaps.
To use these is much "quieter" and more discreet.
You know the motto of "Backtrack"?:
-- The quieter you are the more you hear --
Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....
You see, in regards to linux software used on Home PCs I am in no way worried.
Re: important question, checksums, mirror sites
Well there's one thing we both agree on.donald wrote: Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....