Monolune

APT and Being Obsessed with Verifying Checksums After Every Download

I thought I was unusual. One day, I observed a classmate downloading a game from the internet. Once the download had completed, he immediately started the installation process. "Aren't you going to check the file is not corrupt?" I asked. "What? I don't do that." was the reply. Now I know.

Originally, I started checking the md5, sha1, and sha256 hashes whenever possible to verify the 'authenticity' of the installers I downloaded. Something that constantly bothered me was that some download providers do not provide the checksums associated with the files they were providing. In these situations, I felt that I had to rely on luck for my download to not be corrupt and modified on the way. Verifying checksums on Windows was a hassle. That is something I do not miss.

Later, an incident proved that it was indeed wise to verify checksums. I downloaded XAMPP ("an easy to install Apache distribution containing MariaDB, PHP and Perl"), and thankfully, the sha1 sums were provided. For the first two downloads, the hashes I calculated did not match the one provided on the site. The third download matched. Through this, I avoided a corrupt (or possibly malicious) download. Installing software on Windows was a relative headache.

Then, I rediscovered the Debian family. APT was a refreshing change to the way I used to install software on Windows. A central repository (app store) for software? Yes! Automatic checksum verification, and cryptographic verification of the checksums that are used to compare against the downloaded packages? Yes! Less to think about. Just plug and play. APT was probably the big reason why I have stayed on with the Debian family. I have found UNIX-like operating systems to be very flexible, allowing me to build software in a way that makes more sense to me. As a bonus, Raspbian, the OS that runs on the Raspberry Pi, is also part of the Debian family. Such wonders.

Sometimes, manual verification cannot be avoided. A notable case is when I download and verify the image of an OS. When I download FreeBSD, Debian, or Ubuntu, I will always do my best to verify the GPG signatures provided.

In the last month, I have become more and more interested in the Red Hat family, particularly CentOS. We will see how yum does things. I am quite sure that there will be no going back to the manual way of downloading and verifying. Excellent!