Folding Forum

Where are the linux, specifically debian, install package checksums?

I think, since the file is so small, no checksums are necessary, as it's easy to just redownload.
https://download.foldingathome.org/rele ... 4bit/v7.5/

@MeeLee The purpose of checksums is to verify the integrity of the file and is unrelated to the size of the file.

Does anyone with the folding team know where these checksums are? I would like to support but will not run unverified packages.

Download it 3x and generate your own checksums; or don't run the software if this is a limitation for you.
in the 25 years of my life on the net, I've never ever used checksums, other than for large files where download errors could occur.
I would suspect that when you download the files from the fah servers, you're not going to be afraid of running a malicious version:
https://download.foldingathome.org/rele ... c/release/

@alpha23 As far as I know, checksums for the downloads from the official F@h sites have not listed checksums for years. Quite frankly they are easily spoofed with the common checksums used over the years, and they may have stopped generating them as extra work for little added security.

@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.

Package checksums for Linux are used because packages are distributed from several servers. But FAH package is only distributed by FAH server. If you get FAH downloads from other servers then I would be suspicious.

@foldy, That is simple not just the only use case nor the reason why checksums are used. Otherwise it would be the case, for example, that he linux kernel developers (https://www.kernel.org/) are wasting their time signing packages downloaded from their servers. There are many packages that are uploaded to a server controlled by the software authors and the checksums and/or pgp signatures are provided.

My post was requesting the checksums (or pgp signature) rather than numerous individuals posting comments about their misunderstandings of checksums and attempting to explain why these are not needed.

You guys can disagree about checksums but I don't see how a debate I agree that an extensive debate about them adds anything useful to this support site.

It's the position of the FAH development staff that since all downloads MUST be obtained from the official site ... and that site is officially deemed as secure ... that checksums are unnecessary and would add nothing to the security of the download. You may be at risk if you find a copy elsewhere but that's prohibited by the EULA.

alpha23 wrote:@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.

I use Linux without checksums, without any issue for several years now...
I see no issue why making it an issue now...
Proper Linux etiquette does not state that checksums are necessary.
Like Bruce said, the source is fah servers, what more security do you want? It's just a 10 or so Meg file. Linux programs aren't signed like windows drivers. You can't get fah from the repositories, only from direct install.
Use the Deb or rpm packages. Don't bother with make.

Also www.kernel.org supports mirror sites. So you need the checksums from kernel.org to check if the binary packages of mirror sites match. Mirror sites for FAH are not supported.

The following is for FAH development staff (do not respond to this comment unless you are on the FAH development staff because it will add little value): I would urge you to reconsider your position as articulated by @bruce above as the assumptions made by your staff are in error. The following example illustrates the need for adequate checksums and/or signed packages (https://www.securitynewspaper.com/2016/ ... -saturday/). Moreover, there is the potential that your software could be modified during download, even if the possibility is remote. Finally, and while you will always find users who do not care or are un-knowledgable about security risks, it is standard practice for Linux admins to verify packages through checksums and/or signatures.

While I would like to contribute, for the benefit of medical research, through the usage of computing resources and electricity expenses, I will not run packages that cannot be verified.

I was the programmer for a 2000 person business. The auditors once wrote JimboPalmer writes all the programs we need but never attends our meetings. Can he come to our meetings? And I wrote back, is it more important than getting the programs you need?

Folding@home has a developer, writing all the PC and server code, which he must keep in sync. You wish to task him with book keeping, which will slow science .

You are correct that we only have so much bandwidth and have to make judicious choices about how to spend it. With regard to security, we've focused our efforts on features like signing cores to ensure that nobody can insert malicious code.

@gbowman, Doesn't the development team use automated build tools such as Jenkins? After putting together the several lines of code to generate and publish a checksum during a build, there is no bandwidth required on subsequent builds.

Better yet, create a pgp keypair (done once), publish the public key to a key server (done once), and then sign the files via the private key during each build (done automatically via the build code). Only one line of code needed to sign.