Install package checksums

Moderators: Site Moderators, PandeGroup

Install package checksums

Postby alpha23 » Tue Dec 24, 2019 6:05 am

Where are the linux, specifically debian, install package checksums?
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Postby MeeLee » Wed Dec 25, 2019 9:45 am

I think, since the file is so small, no checksums are necessary, as it's easy to just redownload.
https://download.foldingathome.org/rele ... 4bit/v7.5/
MeeLee
 
Posts: 470
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Postby alpha23 » Wed Jan 08, 2020 3:36 am

@MeeLee The purpose of checksums is to verify the integrity of the file and is unrelated to the size of the file.

Does anyone with the folding team know where these checksums are? I would like to support but will not run unverified packages.
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Postby MeeLee » Wed Jan 08, 2020 4:01 am

Download it 3x and generate your own checksums; or don't run the software if this is a limitation for you.
in the 25 years of my life on the net, I've never ever used checksums, other than for large files where download errors could occur.
I would suspect that when you download the files from the fah servers, you're not going to be afraid of running a malicious version:
https://download.foldingathome.org/rele ... c/release/
MeeLee
 
Posts: 470
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Postby Joe_H » Wed Jan 08, 2020 7:24 am

@alpha23 As far as I know, checksums for the downloads from the official F@h sites have not listed checksums for years. Quite frankly they are easily spoofed with the common checksums used over the years, and they may have stopped generating them as extra work for little added security.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
Joe_H
Site Admin
 
Posts: 4664
Joined: Tue Apr 21, 2009 4:41 pm
Location: W. MA

Re: Install package checksums

Postby alpha23 » Fri Jan 17, 2020 8:13 pm

@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Postby foldy » Sat Jan 18, 2020 9:58 am

Package checksums for Linux are used because packages are distributed from several servers. But FAH package is only distributed by FAH server. If you get FAH downloads from other servers then I would be suspicious.
foldy
 
Posts: 1579
Joined: Sat Dec 01, 2012 3:43 pm

Re: Install package checksums

Postby alpha23 » Mon Jan 20, 2020 11:39 pm

@foldy, That is simple not just the only use case nor the reason why checksums are used. Otherwise it would be the case, for example, that he linux kernel developers (https://www.kernel.org/) are wasting their time signing packages downloaded from their servers. There are many packages that are uploaded to a server controlled by the software authors and the checksums and/or pgp signatures are provided.

My post was requesting the checksums (or pgp signature) rather than numerous individuals posting comments about their misunderstandings of checksums and attempting to explain why these are not needed.
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Postby bruce » Tue Jan 21, 2020 1:49 am

You guys can disagree about checksums but I don't see how a debate I agree that an extensive debate about them adds anything useful to this support site.

It's the position of the FAH development staff that since all downloads MUST be obtained from the official site ... and that site is officially deemed as secure ... that checksums are unnecessary and would add nothing to the security of the download. You may be at risk if you find a copy elsewhere but that's prohibited by the EULA.
bruce
 
Posts: 23063
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.

Re: Install package checksums

Postby MeeLee » Tue Jan 21, 2020 6:21 am

alpha23 wrote:@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.

I use Linux without checksums, without any issue for several years now...
I see no issue why making it an issue now...
Proper Linux etiquette does not state that checksums are necessary.
Like Bruce said, the source is fah servers, what more security do you want? It's just a 10 or so Meg file. Linux programs aren't signed like windows drivers. You can't get fah from the repositories, only from direct install.
Use the Deb or rpm packages. Don't bother with make.
MeeLee
 
Posts: 470
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Postby foldy » Tue Jan 21, 2020 1:08 pm

Also www.kernel.org supports mirror sites. So you need the checksums from kernel.org to check if the binary packages of mirror sites match. Mirror sites for FAH are not supported.
foldy
 
Posts: 1579
Joined: Sat Dec 01, 2012 3:43 pm

Re: Install package checksums

Postby alpha23 » Tue Jan 21, 2020 10:06 pm

The following is for FAH development staff (do not respond to this comment unless you are on the FAH development staff because it will add little value): I would urge you to reconsider your position as articulated by @bruce above as the assumptions made by your staff are in error. The following example illustrates the need for adequate checksums and/or signed packages (https://www.securitynewspaper.com/2016/ ... -saturday/). Moreover, there is the potential that your software could be modified during download, even if the possibility is remote. Finally, and while you will always find users who do not care or are un-knowledgable about security risks, it is standard practice for Linux admins to verify packages through checksums and/or signatures.

While I would like to contribute, for the benefit of medical research, through the usage of computing resources and electricity expenses, I will not run packages that cannot be verified.
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Postby JimboPalmer » Tue Jan 21, 2020 11:05 pm

I was the programmer for a 2000 person business. The auditors once wrote JimboPalmer writes all the programs we need but never attends our meetings. Can he come to our meetings? And I wrote back, is it more important than getting the programs you need?

Folding@home has a developer, writing all the PC and server code, which he must keep in sync. You wish to task him with book keeping, which will slow science .
Tsar of all the Rushers
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
JimboPalmer
 
Posts: 1015
Joined: Mon Feb 16, 2009 4:12 am
Location: Greenwood MS USA

Re: Install package checksums

Postby gbowman » Wed Jan 22, 2020 2:56 am

You are correct that we only have so much bandwidth and have to make judicious choices about how to spend it. With regard to security, we've focused our efforts on features like signing cores to ensure that nobody can insert malicious code.
User avatar
gbowman
Pande Group Member
 
Posts: 231
Joined: Fri Nov 30, 2007 9:51 pm

Re: Install package checksums

Postby alpha23 » Wed Jan 22, 2020 4:36 am

@gbowman, Doesn't the development team use automated build tools such as Jenkins? After putting together the several lines of code to generate and publish a checksum during a build, there is no bandwidth required on subsequent builds.

Better yet, create a pgp keypair (done once), publish the public key to a key server (done once), and then sign the files via the private key during each build (done automatically via the build code). Only one line of code needed to sign.
alpha23
 
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Next

Return to V7.5.1 Public Release Windows/Linux/MacOS X

Who is online

Users browsing this forum: Google [Bot] and 1 guest

cron