Hi,

I thought it'd be nice if the downloads on liveforspeed.net had the MD5 check under them, so people can know if they're corrupt or not if there's some kind of problem... nothing major - I can't say I've ever had problems with downloads from the LFS site.

+1

maybe .sfv files, too

Seems pointless to me, most people on this forum probably don't even know how to use md5/sfv files ~_~. This isn't the illegal filesharing scene, so there is absolutely no reason to do this .

Example: I don't even know what the hell that is!

Quote from sgt.flippy :

Example: I don't even know what the hell that is!

Its just a method of checking if the file you just downloaded is corrupt. It can happen to any download.

Personally, I'm all for this... strangely enough

There is no need for md5 checksums just to find out if your downloaded zip file is corrupted, because zip files contain checksums inside them. A corrupted zip file will not unpack without an error. Zip checksums use Adler32 hash function which is not cryptographically strong, but good enough for detecting download errors.

Sfv is even more worthless, as its CRC32 hash function is as weak as Zip checksums.

However, a cryptographically strong checksum could be useful to detect if the file has not been tampered with. The problem is, if the checksum is available from the same place as the downloaded file, how do you know it has not been modified too? Thus, the checksums should not only be provided on liveforspeed.net as suggested, but also independently from other download sites and thru other channels.
_________________________________________

LFS_S2_ALPHA_U.zip: 144411427 bytes
MD5: c79c115cd6998fb343286a37b22e5ba4
SHA1: f27ae892ee8b95b6d96dd14b804603a2d21ad693

There are no corruption issues indeed. BUT, perhaps a mirror has been compromised and an LFS download might as well contain viruses or trojans.

An MD5 on the main server would be perfect to check for the validity of files downloaded from various mirrors.

I vote yes!

Quote from avellis :

BUT, perhaps a mirror has been compromised and an LFS download might as well contain viruses or trojans.

An MD5 on the main server would be perfect to check for the validity of files downloaded from various mirrors.

Not perfect, but a step in the right direction

Care should be taken to correctly handle mirroring. There were already cases when upstream sources were compromised, then mirrors just picked up the modified files together with modified checksums and raised no alarm. The irssi irc client compromise was not caught by mirrors, but by users and linux distribution package maintainers, because their package building scripts complained about checksum mismatch.

What I would really like to see is major Windows download sites to provide file checksums, because the more widespread usage, the higher chance someone will spot tampering.

And while we're at it, the open source world is moving away from MD5 because of its flaws. Better use SHA1 instead.