Re: md5sums and shasums
On Sat, 4 Apr 2015 11:16:30 +0100
Darac Marjal <firstname.lastname@example.org> wrote:
> On Fri, 3 Apr 2015 21:51:54 -0600
> Paul E Condon <email@example.com> wrote:
> > On 20150403_2316+0100, Lisi Reisz wrote:
> > > Can any kind soul take pity on my less than perfect sight and tell
> > > me where to find the md5sums and shasums for these downloads? A
> > > URL would be great. I just can't find them.
> > >
> > > https://www.debian.org/devel/debian-installer/?
> > >
> > > Thanks
> > > Lisi
> > I asked that a not long ago, when RC 2 was announced. It's right in
> > sight and very inconvenient to use:
> > You click of the hot link for the cpu type the you want and up pops a
> > pup-up. Look at it carefully. There is a url of a web site in Sweden,
> > I think. clicking on it is not effective. You enter the url displayed
> > inside to popup manually into the menubar, one key stroke at a time.
> > If you get it right, you will see a list of hot links. Third one,
> > 'cdimage' will take you to the md5 & sha sums.
> > This is a place where Debian is really not newbie friendly. If one is
> > a conscientious newbie, you have read all the fine words about using
> > wget and *never* using a browser to download .iso files, but not a
> > word about what to type at the command line to make wget go to where
> > the goodies are.
> I kind of wish Debian would support Metalink files for the downloads. A
> Metalink file is a text file which details all the mirror locations
> for the download (including, I think, location information, so you can
> pick closer mirrors) - which may be HTTP(S), BitTorrent, Magnet, RSync
> etc - as well as any number of hashes on the download (MD5, SHAxxx, PGP
> If Metalink files were supplied, then people would have the best chance
> of quickly getting the right file.
Does this Metalink thing support checking GPG signatures of files?
The whole complexity doesn't arise from the fact that one should check
hashes of downloaded ISOs. That's easy part.
The hard part is doing it correctly, which requires to check GPG
signature of the checksum file itself first.