Installing Ubuntu or other Linuxes

Mon Mar 19 15:36:47 EDT 2007

Bob Warren wrote:

> > In my last post, I recommended a short article of simple, practical 
> > (layman's) advice for those considering the possibility of trying Linux 
> > (or my favourite, Ubuntu) and Rev/Linux 2.6.1 for the first time.
> > 
> > It has now been properly presented, and you can view it at the following 
> > URL if you are interested:
> > 
> > http://www.howsoft.com/runrev/installing_ubuntu_or_other_linuxes.htm
>   

Richard Gaskin wrote:

>Thanks for that, Bob.  One thing I love about Ubuntu, and which bodes 
well for its broad adoption, is that they have probably the easiest, 
most convenient, one-CD-image install I've seen.  Your article makes it 
even easier.  Good work.

> > There is one other simple piece of advice I would like to offer in 
> > addition to that given in the article. After downloading ISO files from 
> > Ubuntu or any other source, CHECK THE BYTE COUNT IS CORRECT before 
> > burning your CD or attempting to install.
>   

Providing checksums seems a relatively common practice these days, but 
it raises a question:  if a hacker can replace the download, what's to 
prevent them from also replacing the checksum string?

I've had a few customers from large organizations ask me to provide a 
checksum for WebMerge, and when I've asked them that question they've 
had no answer.  Any insight into what I'm overlooking on this would be 
appreciated.

--------------------------------------------------- Thank you, and 
you're welcome. Any flashes of insight will be immediately transmitted. 
In general terms, perhaps the reliability of the source of the download 
is the main defence. I've never thought of a checksum as being anything 
other than a guide to the reliability of the download. In fact, I know 
absolutely nothing about checksums nowadays, but thinking back to about 
35 years ago when I used to work professionally in the computer field, I 
remember that a checksum was far more than a simple byte count. If the 
checksum of the file in one's possession did not correspond to the 
checksum at the source, then it had been altered in some way. So for 
example, two different files with the same byte counts could certainly 
be distinguished by their checksums. The most important thing is that 
the CHECKSUM itself (i.e. a pure number) should be received from a 
reliable source: the file can therefore be put in the hands of a 
potentially UNreliable source. But how does one view or calculate the 
checksum of a file anyway? I don't even know how to do that. It must 
depend on the TYPE of checksum, i.e. the algorithm used to calculate it. 
The algorithm needs to guarantee that a unique number is produced for 
the file, and if a single byte is replaced, the checksum is different. 
You can probably invent your own algorithm which produces a private 
style of checksum. Whatever, it remains that the number itself needs to 
be received from a reliable source, otherwise, nothing doing. If the 
calculated checksum of the file does not correspond to the number you 
have been given independently, then it has been hacked. I think that the 
answer to your question is that if you do not protect your information 
about this precious little number and provide a reliable source for 
transmitting it to the person who is going to receive the file, there is 
no way you can protect your file, wherever it is. I've deliberately let 
myself rave on like a lunatic, talking a lot of rubbish. Such things can 
sometimes provoke the creative flash of insight you are looking for. Bob