Seems hashes/checksums are no longer included in main reposititory (v5.2.4)

vmanvman · Post by **vmanvman** » 21. Dec 2017, 02:20

Before v5.2.4, hashes/checksums were included in the main repository per version; for example, like with v5.2.2...
https://download.virtualbox.org/virtual ... SHA256SUMS

Furthermore, one could remove the ending file and jump right into the browseable directory to see all the software available and pertinent to that version, such as:
https://download.virtualbox.org/virtualbox/5.2.2/

Today, I noticed that the repository for:
https://download.virtualbox.org/virtualbox/5.2.4/

does not include the hashes/checksums. Rather it's under a new non-browseable directory ('hashes"):
https://www.virtualbox.org/download/has ... SHA256SUMS

Additionally, I cannot simply browse the specific version hash directory; such as:
https://www.virtualbox.org/download/hashes/5.2.4/
or
https://www.virtualbox.org/download/hashes/

I must put in the exact link to the the file as shown above or bust!

I'd lke to know if this was intentional, and if so, why does it seem like a good idea?
If it wasn't unintentional, I hope the previous structure of including the hashes in the main version browseable repository can continue for v5.2.4 and onward.

Post by **socratis** » 21. Dec 2017, 07:48

vmanvman wrote:Before v5.2.4, hashes/checksums were included in the main repository per version; for example, like with v5.2.2... https://download.virtualbox.org/virtualbox/5.2.2/SHA256SUMS

It was never HTTPS, it was always has been HTTP. Try it... http://download.virtualbox.org/virtualb ... SHA256SUMS.

vmanvman wrote:Furthermore, one could remove the ending file and jump right into the browseable directory

If you ignore the warnings from some browsers, you still can. As for the warning, see above.

vmanvman wrote:Today, I noticed that the repository for: https://download.virtualbox.org/virtualbox/5.2.4/ does not include the hashes/checksums. Rather it's under a new non-browseable directory ('hashes"): https://www.virtualbox.org/download/hashes/5.2.4/SHA256SUMS

Do you realize that it's a different site, a different certificate? If not, then I suggest Wikipedia.

vmanvman wrote:I must put in the exact link to the the file as shown above or bust!

Actually, you *did* put the exact link manually, you won't find any HTTPS links that point to the "downloads.virtualbox.org" site. You thought that HTTPS would be more secure, that's why you put the address manually.

vmanvman wrote:I'd lke to know if this was intentional, and if so, why does it seem like a good idea?

Unfortunately it was intentional; from your part. And no, it's not a good idea to assume that putting an "S" in a non-existing location is going to make it secure.

vmanvman wrote:I hope the previous structure of including the hashes in the main version browseable repository can continue for v5.2.4 and onward.

The previous structure *is* there. You simply chose to re-invent/bypass it.

Please search the forums and the bugtracker for similar issues/complaints. It's getting so repetitive, almost ad nauseum, that I might pay the HTTPS bill!

Not...

Seems hashes/checksums are no longer included in main reposititory (v5.2.4)

Seems hashes/checksums are no longer included in main reposititory (v5.2.4)

Re: Seems hashes/checksums are no longer included in main reposititory (v5.2.4)