You are not logged in.
Pages: 1
Hi!
I have used Arch for about 9 months now and everything is working flawless. But yesterday it striked me that I have never checked the checksum on my ISO downloads. I know it something that I shouldnt skip, but as I said, I have just forgotten it . My question here now is if I should be worried for "manipulated ISOs", just like what happened to Linux Mint several months ago?
Have Arch ever been exposed for similar thing like Mint? Im afraid I should reinstall all my 3 Arch computers just because of this, or Im just paranoid?
Thanks in advance.
Offline
Once upon a time, packages weren't signed. And not everyone reinstalled their computer after they started getting signed.
If you want to be super-careful, go right ahead. But it is almost definitely safe to assume it was okay. And no, Arch hasn't been confirmed to have such an issue.
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
In the case of the isos on the download page the checksum verifies the integrity of the download - it does nothing to ensure that what was downloaded was not malicious.
The checksum is useful if the iso will not boot, or does something odd. If the checksum doesn't match, it was a bad download (corrupted in transmission). But if someone maliciously replaced the iso links on the webpage with other functional but hijacked isos, then they could definitely also alter the checksum on that page (this part is much easier). So comparing the checksum of your download to the checksum printed on the download page does absolutely nothing for security.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
Well, that assumes the Archlinux.org website was hacked.
But the ISO is hosted on mirrors. So if one of the mirrors was hacked, but not the archlinux.org website where the checksum is listed, then the checksum absolutely would show something fishy.
...
Granted, if you are worried you really should check the PGP signature instead...
Managing AUR repos The Right Way -- aurpublish (now a standalone tool)
Offline
Ah, quite right.
"UNIX is simple and coherent..." - Dennis Ritchie, "GNU's Not UNIX" - Richard Stallman
Offline
I talked to the mirror I used and they said that their server is syncing with Arch on regular basis, and they said "As long as Arch has not been attacked, then you should not worry".
So after your answers, I think I could be safe with my not sumchecked ISOs !
Thanks for the help!
Offline
I talked to the mirror I used and they said that their server is syncing with Arch on regular basis, and they said "As long as Arch has not been attacked, then you should not worry".
So after your answers, I think I could be safe with my not sumchecked ISOs !
Thanks for the help!
Web of trust collision. How can you determine the integrity of a file by talking to a person?
Offline
Web of trust collision. How can you determine the integrity of a file by talking to a person?
Thats true! . Since the ISO was downloaded from a mirror that is a ISP and hosting operator, I am willing to take that risk. But as you said, never trust someone over the internet (or in real life for that matter).
Offline
Pages: 1