important question, checksums, mirror sites

Non release banter
luko
White ninja
White ninja
Posts: 16
Joined: 05 Oct 2015, 13:58
Distribution: Porteus, Lubuntu
Location: Slovakia

important question, checksums, mirror sites

Post#1 by luko » 27 Apr 2017, 18:52

Hi folks, i have minor oh, important question........

at the first i want say i dont speak about original porteus files and modules but about i484, x86_64 item in forum where can i download packages or any user.

i see that some peoples put here precompiled packages, and mirror sites i know that any user can download it and try, use it but are this packages trusted? some people are from porteus and are ok but have i can know this packages are clean?

there are not md5, sha256 checksums or truested sources

i vote for publish original binary source files from witch this packages are created

like when i want publish etc. text editor GEANY package then publish too
original binary what i using
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.txz
and checksum too
http://slackware.uk/salix/x86_64/14.2/s ... 64-1gv.md5

what do you think about this?

Bogomips
Full of knowledge
Full of knowledge
Posts: 2564
Joined: 25 Jun 2014, 15:21
Distribution: 3.2.2 Cinnamon & KDE5
Location: London

Re: important question, checksums, mirror sites

Post#2 by Bogomips » 27 Apr 2017, 19:26

Normally do this. Please see as example: http://forum.porteus.org/viewtopic.php? ... 10e#p51557
Linux porteus 4.4.0-porteus #3 SMP PREEMPT Sat Jan 23 07:01:55 UTC 2016 i686 AMD Sempron(tm) 140 Processor AuthenticAMD GNU/Linux
NVIDIA Corporation C61 [GeForce 6150SE nForce 430] (rev a2) MemTotal: 901760 kB MemFree: 66752 kB

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: important question, checksums, mirror sites

Post#3 by donald » 28 Apr 2017, 06:24

Hi luko

First of all, i understand your concerns.

But the truth is, as long as one does not read the source code
-- and understand what this code does --
one has to trust the maintainer, no matter where you got the package from.

If you install a linux distribution, containing hundreds of packages...you have to trust.

Otherwise install wireshark on a 2nd PC and observe from the Outside what your PC is doing.
(sending / receiving)

And if you don't trust me, i won't trust you either.. :wink:

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: important question, checksums, mirror sites

Post#4 by Evan » 28 Apr 2017, 07:18

donald wrote:If you install a linux distribution, containing hundreds of packages...you have to trust.
Image

http://blog.linuxmint.com/?p=2994

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: important question, checksums, mirror sites

Post#5 by donald » 28 Apr 2017, 08:05

^
is known....

Does not change the statement,...proves only that trust can also be abused.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: important question, checksums, mirror sites

Post#6 by Evan » 28 Apr 2017, 08:15

donald wrote:^
is known....

Does not change the statement,...proves only that trust can also be abused.
:shock:

So you just carry on without an official sha256 checksum even when trust is proven to be broken.

Image

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: important question, checksums, mirror sites

Post#7 by donald » 28 Apr 2017, 08:31

^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol

compile a source twice, you will get two different checksums
Debian is on the way to establish reproducible builds. That would be a step forward.

EDIT

One can take some precautions.

a) get your packages from official repo

b) compile by yourself
(Not a big advantage if you did not understand the source and also built a compiler yourself)

c) download from people which have a good reputation (to loose).

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: important question, checksums, mirror sites

Post#8 by Evan » 28 Apr 2017, 10:00

donald wrote:^
If I (would) package some malware, I would surely also provide the appropriate (whichever) checksum.
lol
Sites like Mint now release the checksums off site across multiple places for people to cross reference , so the hacker would have to instantly hack each mirror at release for all the hacked copys to match.

donald
Full of knowledge
Full of knowledge
Posts: 2064
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: important question, checksums, mirror sites

Post#9 by donald » 28 Apr 2017, 11:34

Well, i'm totally relaxed
There are a lot of good, reliable people out there which do really know what goes on
and if a software would behave suspicious it would be observed and reported very quickly.

Software has and will always have security gaps.
To use these is much "quieter" and more discreet.
You know the motto of "Backtrack"?:
-- The quieter you are the more you hear --

Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....

You see, in regards to linux software used on Home PCs I am in no way worried.

Evan
Shogun
Shogun
Posts: 466
Joined: 11 Apr 2016, 09:00
Distribution: Distribution: *

Re: important question, checksums, mirror sites

Post#10 by Evan » 28 Apr 2017, 11:37

donald wrote: Imho, It is much more likely that users endanger themselves by doing "stupid" things.
...Adobe flash anyone?....
Well there's one thing we both agree on. :D :friends:

Post Reply