Anne Wilson wrote:
On Saturday 17 May 2008 19:06, Peter Gordon wrote:
I have just dowloaded Fedora-9-i386-DVD.iso, which seems to be a
complete and correct download.
The md5sum of the downloaded file is 72601f685ea8c808c303353d8bf4d307
while the downloaded file SHA1SUM contains
SHA1SUM is a different (and many think superior) algorithm. Simply run
sha1sum against the file, instead of md5sum,, and you should then match your
download against the first line in the fedora file.
Right. For a time sha1sum was harder to forge than md5sum, so it was
more secure, and still is to some extent. However, a way to forge
sha1sum has also been found, and while it's not common yet, sha256sum is
now being used.
The good news is that this extra level of protection isn't necessary
unless you suspect hackery, rather than just hardware corruption. So
while sha256 is better to use for something you download from an unknown
source, sha1sum and md5sum are as safe as ever to detect *random*
corruption, particularly for checking backups and the like.
It's a matter of security vs. CPU time, for the FC9-KDS-Live CD:
md5 user 0m1.858s
sha1 user 0m4.786s
sha256 user 0m8.249s
sha512 user 0m32.050s
This is on a Intel 6600, sort of a middle-of-the-road CPU these days. On
a smaller, slower CPU (think laptop) this really gets painful. So you
decide how likely you are to get errors (random change) or hackery
(attempted stealth), and you choose what you need.
Since bittorrent has per-extent CRC, the chances of corruption are
slight if you get the torrent file from a safe source. Hope this helps
identify the choices.
--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
