Gentoo LiveCDs fine.

Sapienter · n00b Joined: 16 Jul 2003 Posts: 22 Location: Columbus, OH

A main developer responded below, he's checked the ISOs and they are fine.

------------

This post has been updated to include new information from the few responses I've had in a couple forums over the last 24 hours. Following the description of how I discovered the issue are some points on why it does not look like a corruption on transfer issue, or an updating files by proper authorities issue. My plea for others to check their md5 sums on the Athlon Live CD downloaded PRIOR to 9/19 stands.

-----------

I was downloading the 1.4 Athlon-XP livecd ISOs yesterday and today and kept having trouble with only winding up with partial downloads. SO I downloaded several attempts to different partitions and directories. Since I was seeing trouble getting the whole file, I whipped out an md5 sum checker and used that to verify my sums.

I found something disturbing.

Throughout the day I had downloaded the little athlon-xp-1.4-20030911-cd1.iso.MD5.txt file several times, but the contents of the file (the hex md5 checksums written in ASCII) DID NOT MATCH.

The file is at .../releases/x86/1.4/livecd/athlon-xp

At 01:55 EST cd1 was cfcabc3d8a249310bd69a1f0c6a031d0
At 12:39 EST cd1 was 3b0b50427d4bd8b8dfd7c7d55cd742a9
Currently cd1 was 342f5e09c7e8f9297deb300b1cfe9a31

But the files (both the iso and the md5) continue to claim a modification date of 9-14-2003. I have just quadruple checked and the earlier files are all named exactly the same, and the CURRENT checksum is current across ALL the servers. Changes to data without changes to timestamps are posible with the rsync protocol, but are a BIG warning flag for foul play. Can a few dozen people please check their copies downloaded/burned before today for what md5 values are listed there (preferrably copies downloaded onto a different OS)? Is gentoo central rooted? I am feeling very paranoid now. The reason I usually don't check md5s is because if the site is hacked, the posted md5 will also be hacked, and transfer protocol error checking has been good enough for me to get clean copies on my broadband. Signed floppynett-ed keyservers are the only way my company is going for approved updates.

-------------

If the files are being updated (which would not be corruption) why didn't the timestamps change? And it can't be updates, because I've installed the LiveCD to a sparkgap firewalled box (untrusted Operating System) and the OpenSSH package is NOT updated with the security patch (still version 3.6.1_p2), which fix (openssh-3.7.1_p1) came out 9-16. If they were to update anything, they would update the security patch on SSH.

And as I mentioned in the other thread, corruption can't be the issue, because the md5 DOES match the file now, and the TWO previous text files quoted different data of perfect MD5 length. The md5 of the downloaded file and the text files quoted md5 are in perfect agreement. The issue is that what they agree on CHANGED, without the timestamp changing, like someone changed the file, and didn't want anyone else to notice. I am not comfortable putting the systems I've made with that online now, as they may be backdoored.

It is possible that the files could have been distributed corruptly to the servers originally, but it is not possible that I downloaded two DIFFERENT tiny text md5 files which both happened to corrupt in transit in such a way as to change ALL of their charectors to different valid ASCII text HEX charectors. Odds simply of getting valid hex chars randomly are 16 out of 254 to the POWER of the md5 keylength, plus the difficulty of protocol error checking being damaged so as not to notice, resulting in odds WAAAY worse than ballbearing landing in egg sandwich odds (for Douglas Adams fans). And these rdiculous odds had to happen TWICE in one day over a sample of perhaps a dozen downloads of the wee files.

GurliGebis · Retired Dev Joined: 08 Aug 2002 Posts: 509

I think one of the files is corrupt, that might be why the MD5 sum doesn't match.
_________________
Queen Rocks.

Sapienter · n00b Joined: 16 Jul 2003 Posts: 22 Location: Columbus, OH

Nope, that's not it, because the md5 DOES match the file now. The md5 of the downloaded file and the text files quoted md5 are in perfect agreement. The issue is that what they agree on CHANGED, without the timestamp changing, like someone changed the file, and didn't want anyone else to notice. I am not comfortable putting the systems I've made with that online now, as they may be backdoored.
_________________
"The spirit of the law is the least of the things we are prepared to violate."
--from http://www.schlockmercenary.com/

Sapienter · n00b Joined: 16 Jul 2003 Posts: 22 Location: Columbus, OH

updated top post, has all current info. I justr noticed IRC channel, and am going there to try and find someone who knows what may be happening.
_________________
"The spirit of the law is the least of the things we are prepared to violate."
--from http://www.schlockmercenary.com/

Sapienter · n00b Joined: 16 Jul 2003 Posts: 22 Location: Columbus, OH

BTW, I got on IRC and talked to a developer, and have submitted Bug 29279.
_________________
"The spirit of the law is the least of the things we are prepared to violate."
--from http://www.schlockmercenary.com/

drobbins · Posted: Sun Sep 21, 2003 8:12 pm Post subject: The Athlon-XP CDs are fine

Hi,

I personally verified that the athlon-xp 20030911 CDs are fine. The correct md5sum for each ISO is:

342f5e09c7e8f9297deb300b1cfe9a31 athlon-xp-1.4-20030911-cd1.iso
bf147d4cad75ea29924cc7f92fe1cb84 athlon-xp-1.4-20030911-cd2.iso

I have also verified that the md5sums of all the files on each iso match the master build over here.

Sincerely,

Daniel