problem with FC2-i386-DVD.iso

Jeff Vian jvian10 at charter.net
Wed May 26 13:04:58 UTC 2004 


Xinming He wrote:

>I think I actually got the right file. The size of the original file should
>be 4,370,640,896. Previously I used Internet Explorer to see the file size
>in the file property. Clearly it gives a wrong number. But still we
>implicitely assume all mirrors sites are trustable and are properly
>protected. It is much better to use digital signature instead of md5sum to
>protect the integrity of the file.
>  
>
?? How do you justify the blanket statement "It is much better to use 
digital signature instead of md5sum to protect the integrity of the 
file." ??

For any file, an md5sum cannot be forged.  If a single bit is changed in 
the file, the calculated md5sum changes by a LOT. A digital signature 
can be forged but an actual md5sum cannot be changed unless the file is 
changed and then published sums from all sources are modified to show 
the changed value instead of the original value.

Using IE and expecting to see the number of bytes in the file is kind of 
dumb.  Winblows is not in any way accurate in displaying file size, 
especially since it usually displays the size in terms of Kb or Mb 
rather than in terms of Bytes.   It also displays it in terms of space 
used on the drive, rather than actual file size.

If the md5sum is correct I would suspect the difference in displayed 
file size is a result of differences in platform it is displayed on 
(source vs yours) rather than an error in the file.

>----- Original Message ----- 
>From: "Xinming He" <xhe at usc.edu>
>To: <fedora-list at redhat.com>
>Sent: Tuesday, May 25, 2004 7:16 PM
>Subject: problem with FC2-i386-DVD.iso
>
>
>  
>
>>I downloaded FC2-i386-DVD.iso from a mirror site
>>ftp://limestone.uoregon.edu/fedora/ using Internet Explorer. It is strange
>>to see that the size of the file I got is 4,370,640,896, while the size of
>>the original file is 4,294,967,295. I got the same md5sum as specified in
>>the redhat web site. It is quite strange. Not sure if I have got the right
>>file. It would be better if the file is protected with some digital
>>signature instead of the simple md5sum.
>>
>>
>>
>>
>>    
>>
>
>
>  
>

More information about the fedora-list mailing list