Bug 527060 - Request for checksum tool for Windows and clarification of instructions for download validation on Windows

Paul W. Frields stickster at gmail.com
Fri Oct 30 18:10:58 UTC 2009 

On Fri, Oct 30, 2009 at 01:40:05PM -0400, Eric Christensen wrote:
> This ticket[1] has been sitting in BZ for a few weeks so I grabbed it.
>  I'd like some input on the best way of remedying the issues.
> 
> The ticket contains two problems of which I'll address separately.
> 
> <QUOTE>
> 1.  It would be much more convenient if there were a Windows utility for
> computing checksums available from the Fedora website.  Yes, there are links to
> other websites that offer such tools, but this significantly reduces the amount
> of trust one can place in the tools, especially since they are not typically
> mainstream, high profile sites.  The page
> (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html)
> even has a prominent warning: "CAVEAT EMPTOR The Fedora Project and Red Hat
> Inc.. have no control over external sites such as the ones listed above, or the
> programs they provide" in reference to links to Windows checksum tools.
> </QUOTE>
> 
> I'm not sure what our options are for creating Windows software to
> check checksums.  Personally I feel that it is out of scope for
> Fedora.  There are options available to the user but I agree with the
> warning provided.  Using something like Bit Torrent to download the
> ISOs is a good option as the bits are verified automatically but that
> doesn't sound like a good option to give to someone running Windows.
> Any thoughts?

I don't feel it's out of scope when the purpose is to allow users of
another OS to be sure their downloaded Fedora media is correct.
BitTorrent is the best answer, and there are plenty of BT tools for
Windows to support that.  I made a comment in the bug about MinGW and
that it might offer the ability to compile and offer such a tool.

A sha256sum tool is hard to come by on Windows and I didn't find
anywhere with a published version that I'd call trustworthy -- not in
the "you're probably a bad guy" sense, but in the sense of not having
much in the way of signatures and such to trace the work.  I don't
feel comfortable sending Fedora users to some random site where a guy
claims he "recompiled and everything worked fine, so here it is."

> <QUOTE>
> 2. From the home page I first clicked on "Get Fedora" in the sidebar.  After
> downloading the disc image, I clicked on "Verify your download" which led me to
> (http://fedoraproject.org/en/verify).  At the top of this page was a link for
> Windows users with the text "Windows user? Follow these instructions instead."
> that led to
> (http://docs.fedoraproject.org/readme-burning-isos/en_US/sn-validating-files.html).
>  But this page for Windows users was not self contained as the word "instead"
> implied, since it did not have links to the checksum files.  It would clarify
> navigation to have all the information needed to verify the download on a
> single page, first presenting the checksum files, and then offering a choice
> between Linux or Windows for instructions on how to compute the checksum.
> </QUOTE>
> 
> Well, this does fold into the first problem.  Right now the link from
> "Get Fedora" sends you to a webpage[2] that provides information on
> verifying the checksum from cli.  There is a link at the top of the
> page that sends you to the "readme-burning-isos" on docs.fp.o (which
> may or may not be out of date).  This bring up multiple questions in
> my head.  I don't have a problem putting the information from the
> guide on a webpage but should we duplicate the data in the two forms?
> Do they both get updated when a change is made?  I don't know.  But we
> should come up with a way forward on this.
> 
> Comments encouraged!
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=527060
> [2] http://fedoraproject.org/en/verify

I'd recommend discussion on the bug itself; I cc'd Richard W.M. Jones
who is a MinGW knowledgeable individual, IIRC.

-- 
Paul W. Frields                                http://paul.frields.org/
  gpg fingerprint: 3DA6 A0AC 6D58 FEC4 0233  5906 ACDB C937 BD11 3717
  http://redhat.com/   -  -  -  -   http://pfrields.fedorapeople.org/
  irc.freenode.net: stickster @ #fedora-docs, #fedora-devel, #fredlug

More information about the docs mailing list