corrupted ISOs, or wrong SHA1SUMs ?? *WARNING*

[Mogens Kjaer]

SCHAER Frederic wrote:
> Hi All,
> 
> While I thank you for your answers, I'd just like to add that I'm no
> Linux beginner...
> 
> I just downloaded yet another *2* DVD images directly from Linux : -
> one using
> http://mirrors.fedoraproject.org/mirrorlist?path=pub/fedora/linux/releases/9/Fedora/x86_64/iso/Fedora-9-x86_64-DVD.iso&country=FR&redirect=1
>  - the other one using the URL in my firefox download history :
> ftp://fr2.rpmfind.net//linux/fedora/releases/9/Fedora/x86_64/iso/Fedora-9-x86_64-DVD.iso
> 
I can confirm that the ISO on fr2.rpmfind.net is bad.

However:

I've fetched a good and a bad DVD, loopmounted both, and
did a

# diff -urN /mnt/good /mnt/bad

and one file differs:

Binary files good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm and
bad/Packages/
eclipse-pde-3.3.2-11.fc9.x86_64.rpm differ

Testing the signatures:

mk at mk>rpm --checksig /mnt/good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm
/mnt/good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm: (sha1) dsa sha1
md5 gpg OK
mk at mk>rpm --checksig /mnt/bad/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm
/mnt/bad/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm: (sha1) dsa sha1
MD5 GPG NOT OK

So what's in eclipse-pde?

It doesn't look "dangerous" to me - now if it were openssh AND
had a good signature things would be different...

Mogens

-- 
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk at crc.dk Homepage: http://www.crc.dk