Re: md5sums and shasums

To: debian-user@lists.debian.org
Subject: Re: md5sums and shasums
From: Darac Marjal <mailinglist@darac.org.uk>
Date: Sat, 4 Apr 2015 17:34:12 +0100
Message-id: <[🔎] 20150404173412.0d625858@rocky.darac.org.uk>
In-reply-to: <[🔎] 20150404140748.9e42ced1b5d64703bfc7dcbc@gmail.com>
References: <[🔎] 201504032316.45548.lisi.reisz@gmail.com> <[🔎] 20150404035154.GA17568@big.lan.gnu> <[🔎] 20150404111630.1f7f143f@rocky.darac.org.uk> <[🔎] 20150404140748.9e42ced1b5d64703bfc7dcbc@gmail.com>

On Sat, 4 Apr 2015 14:07:48 +0300
Reco <recoverym4n@gmail.com> wrote:

>  Hi.
> 
> On Sat, 4 Apr 2015 11:16:30 +0100
> Darac Marjal <mailinglist@darac.org.uk> wrote:
> 
> > On Fri, 3 Apr 2015 21:51:54 -0600
> > Paul E Condon <pecondon@mesanetworks.net> wrote:
> > 
> > > On 20150403_2316+0100, Lisi Reisz wrote:
> > > > Can any kind soul take pity on my less than perfect sight and
> > > > tell me where to find the md5sums and shasums for these
> > > > downloads?  A URL would be great.  I just can't find them.
> > > > 
> > > > https://www.debian.org/devel/debian-installer/?
> > > > 
> > > > Thanks
> > > > Lisi
> > > 
> > > I asked that a not long ago, when RC 2 was announced. It's right
> > > in sight and very inconvenient to use:
> > > 
> > > You click of the hot link for the cpu type the you want and up
> > > pops a pup-up. Look at it carefully. There is a url of a web site
> > > in Sweden, I think. clicking on it is not effective. You enter
> > > the url displayed inside to popup manually into the menubar, one
> > > key stroke at a time. If you get it right, you will see a list of
> > > hot links. Third one, 'cdimage' will take you to the md5 & sha
> > > sums.
> > > 
> > > This is a place where Debian is really not newbie friendly. If
> > > one is a conscientious newbie, you have read all the fine words
> > > about using wget and *never* using a browser to download .iso
> > > files, but not a word about what to type at the command line to
> > > make wget go to where the goodies are. 
> > > 
> > 
> > I kind of wish Debian would support Metalink files for the
> > downloads. A Metalink file is a text file which details all the
> > mirror locations for the download (including, I think, location
> > information, so you can pick closer mirrors) - which may be
> > HTTP(S), BitTorrent, Magnet, RSync etc - as well as any number of
> > hashes on the download (MD5, SHAxxx, PGP etc).
> > 
> > If Metalink files were supplied, then people would have the best
> > chance of quickly getting the right file.
> 
> Does this Metalink thing support checking GPG signatures of files?
> The whole complexity doesn't arise from the fact that one should check
> hashes of downloaded ISOs. That's easy part.
> 
> The hard part is doing it correctly, which requires to check GPG
> signature of the checksum file itself first.

Yep. Section 4.2.13 of RFC 5854 describes a <signature> tag which
encloses an inline signature (the type of signature is not specified,
but an example is shown of an OpenPGP signature.

Section 7.1 of the same document additionally covers how the Metalink
itself can be signed.

> 
> Reco
> 
>

Reply to:

References:
- md5sums and shasums
  - From: Lisi Reisz <lisi.reisz@gmail.com>
- Re: md5sums and shasums
  - From: Paul E Condon <pecondon@mesanetworks.net>
- Re: md5sums and shasums
  - From: Darac Marjal <mailinglist@darac.org.uk>
- Re: md5sums and shasums
  - From: Reco <recoverym4n@gmail.com>

Prev by Date: Re: firefox-37, where to put
Next by Date: Re: firefox-37, where to put
Previous by thread: Re: md5sums and shasums
Next by thread: Re: md5sums and shasums
Index(es):
- Date
- Thread