Xinming He wrote:
I think I actually got the right file. The size of the original file should?? How do you justify the blanket statement "It is much better to use digital signature instead of md5sum to protect the integrity of the file." ??
be 4,370,640,896. Previously I used Internet Explorer to see the file size
in the file property. Clearly it gives a wrong number. But still we
implicitely assume all mirrors sites are trustable and are properly
protected. It is much better to use digital signature instead of md5sum to
protect the integrity of the file.
For any file, an md5sum cannot be forged. If a single bit is changed in the file, the calculated md5sum changes by a LOT. A digital signature can be forged but an actual md5sum cannot be changed unless the file is changed and then published sums from all sources are modified to show the changed value instead of the original value.
Using IE and expecting to see the number of bytes in the file is kind of dumb. Winblows is not in any way accurate in displaying file size, especially since it usually displays the size in terms of Kb or Mb rather than in terms of Bytes. It also displays it in terms of space used on the drive, rather than actual file size.
If the md5sum is correct I would suspect the difference in displayed file size is a result of differences in platform it is displayed on (source vs yours) rather than an error in the file.
----- Original Message ----- From: "Xinming He" <xhe@xxxxxxx>
To: <fedora-list@xxxxxxxxxx>
Sent: Tuesday, May 25, 2004 7:16 PM
Subject: problem with FC2-i386-DVD.iso
I downloaded FC2-i386-DVD.iso from a mirror site ftp://limestone.uoregon.edu/fedora/ using Internet Explorer. It is strange to see that the size of the file I got is 4,370,640,896, while the size of the original file is 4,294,967,295. I got the same md5sum as specified in the redhat web site. It is quite strange. Not sure if I have got the right file. It would be better if the file is protected with some digital signature instead of the simple md5sum.
