bittorrent download
Bill Davidsen
davidsen at tmr.com
Sun May 18 20:30:06 UTC 2008
Anne Wilson wrote:
> On Saturday 17 May 2008 19:06, Peter Gordon wrote:
>> I have just dowloaded Fedora-9-i386-DVD.iso, which seems to be a
>> complete and correct download.
>>
>> The md5sum of the downloaded file is 72601f685ea8c808c303353d8bf4d307
>> while the downloaded file SHA1SUM contains
> SHA1SUM is a different (and many think superior) algorithm. Simply run
> sha1sum against the file, instead of md5sum,, and you should then match your
> download against the first line in the fedora file.
>
Right. For a time sha1sum was harder to forge than md5sum, so it was
more secure, and still is to some extent. However, a way to forge
sha1sum has also been found, and while it's not common yet, sha256sum is
now being used.
The good news is that this extra level of protection isn't necessary
unless you suspect hackery, rather than just hardware corruption. So
while sha256 is better to use for something you download from an unknown
source, sha1sum and md5sum are as safe as ever to detect *random*
corruption, particularly for checking backups and the like.
It's a matter of security vs. CPU time, for the FC9-KDS-Live CD:
md5 user 0m1.858s
sha1 user 0m4.786s
sha256 user 0m8.249s
sha512 user 0m32.050s
This is on a Intel 6600, sort of a middle-of-the-road CPU these days. On
a smaller, slower CPU (think laptop) this really gets painful. So you
decide how likely you are to get errors (random change) or hackery
(attempted stealth), and you choose what you need.
Since bittorrent has per-extent CRC, the chances of corruption are
slight if you get the torrent file from a safe source. Hope this helps
identify the choices.
--
Bill Davidsen <davidsen at tmr.com>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
More information about the fedora-list
mailing list