Delve into the wondrous labyrinth of sparkling images that is the Debian build output.
You must log in or register to comment.
“You can ignore the
SHA...files if you do not know what they are needed for. They are not important for you.”…That’s where I stopped reading this.
I stopped at “secret” (yes, the occurrence in the title) :)
TBH the checksums are pretty useless for humans who download an .iso and install it… they are mainly for mirrors and similar that download files without using them
Also: If someone manages to tamper with the downloadable ISO … they likely will be able to tamper with the signature files, too.
Yeah I think hashes in the same folder are only valuable as a check to make sure you downloaded the file successfully. Which isn’t a big issue for at least the around 80% of internet users who have access to broadband. They are only useful for security if the hash is on the website that you click on and then you download and verify it manually.
I’m fully aware of what a SHA file is, and it’s entirely unimportant to me.
Admittedly, I did check the arch image I use at work.
Those must have been really helpful in 1999.
Doubt it, they were more likely using md5sum files in 1999.
True! My original point though is that just providing a hash for a downloaded file is generally not required. It doesn’t provide anything that other layers haven’t already (a hash only guarantees integrity, while downloading over HTTPS provides authenticity). Personally, I see them as a relic of the past that made more sense when transmission was less robust (though even back then, a lot of layers provided some sort of error detection and correction), and modern filesystems can detect errors as well.
