The Secret Maze of Debian Images (blog.fai-project.org)

submitted 3 days ago by ikidd@lemmy.world to c/linux@lemmy.ml

8 comments fedilink hide all child comments

Delve into the wondrous labyrinth of sparkling images that is the Debian build output.

you are viewing a single comment's thread
view the rest of the comments

[-] reallyzen@lemmy.ml 17 points 2 days ago

"You can ignore the SHA... files if you do not know what they are needed for. They are not important for you."

...That's where I stopped reading this.

[-] gomp@lemmy.ml 10 points 2 days ago

I stopped at "secret" (yes, the occurrence in the title) :)

TBH the checksums are pretty useless for humans who download an .iso and install it... they are mainly for mirrors and similar that download files without using them

[-] Dirk@lemmy.ml 8 points 2 days ago

Also: If someone manages to tamper with the downloadable ISO … they likely will be able to tamper with the signature files, too.

[-] irotsoma 3 points 2 days ago

Yeah I think hashes in the same folder are only valuable as a check to make sure you downloaded the file successfully. Which isn't a big issue for at least the around 80% of internet users who have access to broadband. They are only useful for security if the hash is on the website that you click on and then you download and verify it manually.

[-] butter@midwest.social 5 points 2 days ago

I'm fully aware of what a SHA file is, and it's entirely unimportant to me.

Admittedly, I did check the arch image I use at work.

[-] Laser@feddit.org 4 points 2 days ago

Those must have been really helpful in 1999.

[-] Hawke@lemmy.world 1 points 2 days ago

Doubt it, they were more likely using md5sum files in 1999.

[-] Laser@feddit.org 3 points 1 day ago* (last edited 1 day ago)

True! My original point though is that just providing a hash for a downloaded file is generally not required. It doesn't provide anything that other layers haven't already (a hash only guarantees integrity, while downloading over HTTPS provides authenticity). Personally, I see them as a relic of the past that made more sense when transmission was less robust (though even back then, a lot of layers provided some sort of error detection and correction), and modern filesystems can detect errors as well.

this post was submitted on 20 Feb 2025

29 points (100.0% liked)

Linux

50377 readers

1170 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz