corrupted ISOs, or wrong SHA1SUMs ?? *WARNING*
Mogens Kjaer
mk at crc.dk
Mon Aug 25 10:31:55 UTC 2008
SCHAER Frederic wrote:
> Hi All,
>
> While I thank you for your answers, I'd just like to add that I'm no
> Linux beginner...
>
> I just downloaded yet another *2* DVD images directly from Linux : -
> one using
> http://mirrors.fedoraproject.org/mirrorlist?path=pub/fedora/linux/releases/9/Fedora/x86_64/iso/Fedora-9-x86_64-DVD.iso&country=FR&redirect=1
> - the other one using the URL in my firefox download history :
> ftp://fr2.rpmfind.net//linux/fedora/releases/9/Fedora/x86_64/iso/Fedora-9-x86_64-DVD.iso
>
I can confirm that the ISO on fr2.rpmfind.net is bad.
However:
I've fetched a good and a bad DVD, loopmounted both, and
did a
# diff -urN /mnt/good /mnt/bad
and one file differs:
Binary files good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm and
bad/Packages/
eclipse-pde-3.3.2-11.fc9.x86_64.rpm differ
Testing the signatures:
mk at mk>rpm --checksig /mnt/good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm
/mnt/good/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm: (sha1) dsa sha1
md5 gpg OK
mk at mk>rpm --checksig /mnt/bad/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm
/mnt/bad/Packages/eclipse-pde-3.3.2-11.fc9.x86_64.rpm: (sha1) dsa sha1
MD5 GPG NOT OK
So what's in eclipse-pde?
It doesn't look "dangerous" to me - now if it were openssh AND
had a good signature things would be different...
Mogens
--
Mogens Kjaer, Carlsberg A/S, Computer Department
Gamle Carlsberg Vej 10, DK-2500 Valby, Denmark
Phone: +45 33 27 53 25, Fax: +45 33 27 47 08
Email: mk at crc.dk Homepage: http://www.crc.dk
More information about the fedora-list
mailing list