You are not logged in.

#1 2016-07-12 14:33:45

gurkan
Member
Registered: 2016-02-01
Posts: 28

No checksum, should I be worried?

Hi!

I have used Arch for about 9 months now and everything is working flawless. But yesterday it striked me that I have never checked the checksum on my ISO downloads. I know it something that I shouldnt skip, but as I said, I have just forgotten it sad. My question here now is if I should be worried for "manipulated ISOs", just like what happened to Linux Mint several months ago?

Have Arch ever been exposed for similar thing like Mint? Im afraid I should reinstall all my 3 Arch computers just because of this, or Im just paranoid?

Thanks in advance.

Offline

#2 2016-07-12 14:54:57

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: No checksum, should I be worried?

Once upon a time, packages weren't signed. And not everyone reinstalled their computer after they started getting signed. wink

If you want to be super-careful, go right ahead. But it is almost definitely safe to assume it was okay. And no, Arch hasn't been confirmed to have such an issue.


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#3 2016-07-12 14:56:58

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: No checksum, should I be worried?

In the case of the isos on the download page the checksum verifies the integrity of the download - it does nothing to ensure that what was downloaded was not malicious.

The checksum is useful if the iso will not boot, or does something odd.  If the checksum doesn't match, it was a bad download (corrupted in transmission).  But if someone maliciously replaced the iso links on the webpage with other functional but hijacked isos, then they could definitely also alter the checksum on that page (this part is much easier).  So comparing the checksum of your download to the checksum printed on the download page does absolutely nothing for security.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#4 2016-07-12 15:10:49

eschwartz
Fellow
Registered: 2014-08-08
Posts: 4,097

Re: No checksum, should I be worried?

Well, that assumes the Archlinux.org website was hacked.

But the ISO is hosted on mirrors. So if one of the mirrors was hacked, but not the archlinux.org website where the checksum is listed, then the checksum absolutely would show something fishy.

...

Granted, if you are worried you really should check the PGP signature instead...


Managing AUR repos The Right Way -- aurpublish (now a standalone tool)

Offline

#5 2016-07-12 15:25:57

Trilby
Inspector Parrot
Registered: 2011-11-29
Posts: 29,449
Website

Re: No checksum, should I be worried?

Ah, quite right.


"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" -  Richard Stallman

Offline

#6 2016-07-13 07:27:13

gurkan
Member
Registered: 2016-02-01
Posts: 28

Re: No checksum, should I be worried?

I talked to the mirror I used and they said that their server is syncing with Arch on regular basis, and they said "As long as Arch has not been attacked, then you should not worry".

So after your answers, I think I could be safe with my not sumchecked ISOs smile!

Thanks for the help!

Offline

#7 2016-07-13 08:09:29

Awebb
Member
Registered: 2010-05-06
Posts: 6,275

Re: No checksum, should I be worried?

gurkan wrote:

I talked to the mirror I used and they said that their server is syncing with Arch on regular basis, and they said "As long as Arch has not been attacked, then you should not worry".

So after your answers, I think I could be safe with my not sumchecked ISOs smile!

Thanks for the help!

Web of trust collision. How can you determine the integrity of a file by talking to a person?

Offline

#8 2016-07-13 09:07:34

gurkan
Member
Registered: 2016-02-01
Posts: 28

Re: No checksum, should I be worried?

Awebb wrote:

Web of trust collision. How can you determine the integrity of a file by talking to a person?

Thats true! smile. Since the ISO was downloaded from a mirror that is a ISP and hosting operator, I am willing to take that risk. But as you said, never trust someone over the internet (or in real life for that matter).

Offline

Board footer

Powered by FluxBB