Download security

[jadair]

Please provide valid links to the SHA256 checksums on the Download VirtualBox 5.0.16 page or take the page down. Rather than deprecate using MD5, just remove MD5 checksums going forward.

[mpack]

The page is in the process of being updated. 5.0.16 is not even announced yet. Try to show a little patience.

[jadair]

The above were just a couple suggestions. Anyways, thanks for the quick reply.

I am looking for the latest stable VB 5.0 version and I presume that is 5.0.14 as I found the SHA256 checksums for that. But I am unable to find the accompanying download page (i.e., besides the SDK). This pushes me to consider 5.0.12 as the checksums are available for that. Currently I am running a not the latest 4.3.xx. I am in no rush to upgrade; I could easily wait a couple weeks or whatever. I am new here, so any suggestions are much appreciated.

[trekfan1]

And the question is very important due to changes in new apt

Code: Select all

W: http://download.virtualbox.org/virtualbox/debian/dists/wily/InRelease: Signature by key 7B0FAB3A13B907435925D9C954422A4B98AB5139 uses weak digest algorithm (SHA1)

[mpack]

These checksums aren't used as security, they are just used as a checksum, a basic check that the download went ok. A simple CRC16 would probably do the same job, but hey, they already had a tool to calculate MD5 and SHA-1.

As with any checksum, if they differ then you definitely have a problem. If the match then you (very) probably don't, provided the checksum algorithm is effective (e.g. doesn't give the same result for any length of zero bits).

What exactly is the danger envisaged here? That someone might invade your PC and replace your download with a hacked one that has the same MD5 or SHA-1 checksum? Seriously? Or maybe you think hackers have the ability to hack the Oracle servers to replace the file at the host end, but don't have the ability to post new checksums?

Perhaps you should look up the Wikipedia article on SHA-1, specifically Linus Torvald's comments on its use (as a checksum) in Github. I can sense his resentment at having to respond to these paranoia-pandering idiots at all.

[trekfan1]

Apt changelog;

Code: Select all

apt (1.2.10) unstable; urgency=medium

  [ Zhou Mo ]
  * zh_CN.po: update simplified Chinese translation. (100%)

  [ Julian Andres Klode ]
  * test-apt-download-progress: Use a larger file for testing
  * Allow lowering trust level of a hash via config

  [ Michael Vogt ]
  * Use systemd.timer instead of a cron job (Closes: #600262, #709675, #663290)
    (LP: #246381, #727685)

  [ David Kalnischkies ]
  * use buffered writing for InRelease splitting

  [ Takuma Yamada ]
  * Japanese program translation update (Closes: 819938)

 -- Michael Vogt <mvo@debian.org>  Tue, 05 Apr 2016 20:23:47 +0200

apt (1.2.9) unstable; urgency=high

  [ David Kalnischkies ]
  * drop confusing comma from no strong hash message

  [ Julian Andres Klode ]
  * Do not mark packages for keep that we want to remove (LP: #1562402)
    (This fixes some upgrades involving renames where the old package
     is removed)

 -- Julian Andres Klode <jak@debian.org>  Sun, 27 Mar 2016 01:26:51 +0100
apt (1.2.8) unstable; urgency=medium

  [ Michael Vogt ]
  * Get accurate progress reporting in apt update again

  [ Julian Andres Klode ]
  * Report non-transient errors as errors, not as warnings
  * methods/gpgv: Rewrite error handling and message.
    Thanks to Ron Lee for wording suggestions
  * Use descriptive URIs in 104 Warning messages
  * cachefile: Only set members that were initialized successfully
    (Closes: #818628)
  * Update symbols file

  [ David Kalnischkies ]
  * do not strip epochs from state version strings (Closes: 818162)
  * properly check for "all good sigs are weak" (Closes: 818910)
  * handle gpgv's weak-digests ERRSIG

  [ Zhou Mo ]
  * zh_CN.po: update simplified Chinese translation. (Closes: #818639)

  [ Takuma Yamada ]
  * Japanese manpage translation update (Closes: 818950)

 -- Julian Andres Klode <jak@debian.org>  Thu, 24 Mar 2016 19:31:24 +0100
apt (1.2.7) unstable; urgency=medium

  "Caesar is dead"

  [ Frans Spiesschaert ]
  * Dutch program translation update (Closes: 817060)
  * Dutch manpages translation update (Closes: 817062)

  [ Julian Andres Klode ]
  * Use native architecture instead of amd64 for build-dep-purge test
  * Do not consider SHA1 usable
  * Test that SHA1-only .diff/Index files are not used
  * test: Use SHA512 digests for GPG, reject SHA1-based signatures
  * methods/gpgv: Reject weak digest algorithms
  * apt-pkg/acquire-worker.cc: Introduce 104 Warning message
  * methods/gpgv: Warn about SHA1 (and RIPEMD-160)

  [ David Kalnischkies ]
  * require $(HASH)-Download field in .diff/Index files
  * flush line-clearing on progress stop before post-invoke (Closes: 793672)
  * enforce verify of filesize in 'apt-get source'

  [ Manuel "Venturi" Porras Peralta ]
  * Spanish apt-mark translation fix (Closes: 817999)

  [ Zhou Mo ]
  * zh_CN.po: fix translation bug. (Closes: #818177)

  [ Michael Vogt ]
  * Fix bug where the problemresolve can put a pkg into a heisenstate
    (LP: #1550741)

 -- Julian Andres Klode <jak@debian.org>  Tue, 15 Mar 2016 19:20:18 +0100

etc

[mpack]

I don't see the relevance of that. The title of this topic is "Download Security". We weren't discussing the feature list of your checksum tool, we were discussing whether downloads need more complex checksums. See my earlier comments about frustration with people not understanding the problem domain.

[trekfan1]

ok ok sorry