Please someone update the Sha1 Checksum info in the Fedora verify pages

[smr54]

I can tell if I see them side by side. But if I just saw

086fd570518ac58d3966c43c1b6d146e38919d8d

or even the shorter

ca49964739f84848ca78fc03662272fb

I really wouldn't know. I'm still impressed.

[stoat]

I have to admit that I cheated (sorta) when the change from MD5 to SHA-1 hashes happened with Fedora Core 4... In those days, the checksum files had the names MD5SUM and SHA1SUM. Only the most inattentive person would have missed or been confused by those. The change to SHA-256 hashes with Fedora 11 was accompanied by the change to those checksum filenames which no longer gave the clue. But the difference in the lengths of SHA-1 and SHA-256 is too great to miss.

P.S.: That "SHA1" thing in the text of the checksum files has always been there, even in the old MD5SUM checksum files all the way back to Fedora Core 1. So it was understandable for it to still be in the new checksum files starting with Fedora 11. But that's when the wheels fell off, and this subject became a popular topic for discussion.

[smr54]

Maybe more people started checking? Seems to me that prior to F11 or so, they might have been in their own directory, and labeled as whatever they were. For example, CentOS, which probably follows RH, has a separate directory marked SHA1 sums, or possibly even md5sums, or something.

Again, I think the difference is only too great to miss for some talented folks, or folks who work with the sums frequently. Shucks, even the distrowatch folks made the mistake, and one imagines that they frequently work with the sums. I think that we less talented folks only look at them when we download something, and don't pay that much attention. Or maybe I'm just I'm just either dumb, or more charitably, somewhat oblivious. I feel I have to surrender my elite card. :-(

[Darr247]

Quote:

Originally Posted by RahulSundaram

There is no reliable SHA256 checksum binary for Windows that we can point users to.

I use HashCalc in Win - http://www.slavasoft.com/?source=HashCalc.exe

I admit I haven't burned it in with constant hashing for 3 days straight, but what's 'unreliable' about it?

[RahulSundaram]

Hi,

For one thing, unless we have the source to it, we can't verify whether the hash it generates is accurate in all instances. Primary recommendation would have to be something we can verify the accuracy of, especially since this is security sensitive. This problem has now been solved by using MingGW to cross compile the Linux source.

[aleph]

The SHA1 thing is the hashing algorithm used to generate the PGP signature (cf http://www.ietf.org/rfc/rfc4880.txt). It has nothing to do with the content of the message signed, which contains SHA256 checksum info for the install image files.

And yep, more people are getting the idea of checking the media, but not all of them groks PGP at the same time

[Darr247]

p.s.
FreeDownloadManager (freedownloadmanager.org) can perform an integrity check when it's done, not unlike your favorite torrent app (in fact, FDM does torrents too), if you paste in the value that is supposed to match anytime before the download finishes.

In the attached I showed the different hashes it can check instead of the choices of what to do if it doesn't match... the latter are Ask (shown), Restart Download, or Do Nothing.

For people using something like that, it might turn out to be important for them to know if it's really sha1 or sha256, e.g. if their internet service is tiered and they must pay extra if they go over a certain GB level... otherwise if they set it to Restart if the checksum didn't match and went to bed it might download a hundred times before they woke up.

Sure... NOW it doesn't append to my previous post in this thread.