Incorrect MD5 sums

Karl Wilbur karl at karlwilbur.net
Wed Apr 14 08:54:37 PDT 2004


Adam Richard wrote:
> When I went to download the individual packages for Linux From Scratch at: 
> http://lfs.oregonstate.edu/lfs/packages.html
> they had a list of MD5 sums for each package.  I downloaded all the packages then
> checked the MD5 sums with the output of the md5sum command.  For some of the patches,
> they were different from some mirrors.  After investigating, I discovered that some
> patches have a comment at the top saying "Submitted by: LFS book"....  Some mirrors
> have patches with this comment and some don't, but they all show the MD5 sum for the
> version that doesn't.  I'm sure the patches still work, but it is misleading to people
> who are checking whether the download worked correctly.
People should not be altering the patches, or any file for that matter, even to
add comments.  This negates the effect of the md5sums.  The md5sums being
available from a know and trusted source makes it possible to confirm that A)
your download was not corrupt and b) the file has not been tampered with.
Altrering a file completely invalidates the trusted md5sum for "b" above.

I would _never_ use a file that didn't check out with the _trusted_ md5sum.

-- 
-Karl Wilbur

www.karlwilbur.net

This message made with 100% recycled bits.

Registered Linux user #307374
http://counter.li.org/

LFS user #8237 since v4.0



More information about the website mailing list