HowToMD5SUM should say how to check a CD's integrity directly
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Documentation |
Won't Fix
|
Wishlist
|
Dougie Richardson |
Bug Description
The HowToMD5SUM page has two ways of checking integrity:
1. Given an ISO, determine whether is one of the official Ubuntu ISOs.
2. Assuming you have an official Ubuntu ISO, and have burned it to CD, check to make sure the files were burned correctly.
There's no instructions for: "Given a CD, determine whether it was correctly burned from one of the official Ubuntu ISOs."
Use Cases:
1. I send an Ubuntu CD via postal mail to a friend. He needs to check the integrity before running it to make sure some malicious person isn't mailing him fake Ubuntu CDs.
2. I see an CD labelled "Ubuntu 7.04" lying around at work and want to use it. I need to check the integrity before running it.
Workaround:
1. Extract an ISO from the CD and check the ISO. But this negates some of the convenience of having a ready-to-install Ubuntu CD.
Possible Solutions:
1. On Unix you can just run md5sum on the block device (/dev/hdb1 or whatever). Then the UbuntuHashes page can have another md5sum posted for the raw CD bits (or will this be the same as the ISO md5sum?). Also, need to find out how to do this on Windows.
2. Post the CD's "md5sum.txt" file on the UbuntuHashes page. Users can download this and check their CD using this file instead of the one on the CD (which you can't necessarily trust). A problem with this is that "md5sum -c" will not complain if a file exists on the CD that doesn't exist in "md5sum.txt". This allows a malicious person to add files to the CD and have it go unnoticed.
With regard to possible solutions, it is my understanding from RFC1321 that MD5SUM are generated in respect of the number of bits. I'm not 100% sure about whether every CD burned by every manufacturers drives would generate the same MD5SUM, certainly different burning software writes different numbers of bits in closing the disc.
This is a perennial problem, noted throughout the community and as you state the common solution is to extract to ISO and then compare that MD5SUM against the immutable pages.
I agree there is the potential for misuse of the MD5 on the CD but the question is really where do we draw the line - MD5 can be cracked with rainbow tables if it isn't salted.
I think this warrants further discussion.