Install package checksums

Moderators: Site Moderators, FAHC Science Team

alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Install package checksums

Post by alpha23 »

Where are the linux, specifically debian, install package checksums?
MeeLee
Posts: 1339
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Post by MeeLee »

I think, since the file is so small, no checksums are necessary, as it's easy to just redownload.
https://download.foldingathome.org/rele ... 4bit/v7.5/
alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Post by alpha23 »

@MeeLee The purpose of checksums is to verify the integrity of the file and is unrelated to the size of the file.

Does anyone with the folding team know where these checksums are? I would like to support but will not run unverified packages.
MeeLee
Posts: 1339
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Post by MeeLee »

Download it 3x and generate your own checksums; or don't run the software if this is a limitation for you.
in the 25 years of my life on the net, I've never ever used checksums, other than for large files where download errors could occur.
I would suspect that when you download the files from the fah servers, you're not going to be afraid of running a malicious version:
https://download.foldingathome.org/rele ... c/release/
Joe_H
Site Admin
Posts: 7929
Joined: Tue Apr 21, 2009 4:41 pm
Hardware configuration: Mac Pro 2.8 quad 12 GB smp4
MacBook Pro 2.9 i7 8 GB smp2
Location: W. MA

Re: Install package checksums

Post by Joe_H »

@alpha23 As far as I know, checksums for the downloads from the official F@h sites have not listed checksums for years. Quite frankly they are easily spoofed with the common checksums used over the years, and they may have stopped generating them as extra work for little added security.
Image

iMac 2.8 i7 12 GB smp8, Mac Pro 2.8 quad 12 GB smp6
MacBook Pro 2.9 i7 8 GB smp3
alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Post by alpha23 »

@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.
foldy
Posts: 2040
Joined: Sat Dec 01, 2012 3:43 pm
Hardware configuration: Folding@Home Client 7.6.13 (1 GPU slots)
Windows 7 64bit
Intel Core i5 2500k@4Ghz
Nvidia gtx 1080ti driver 441

Re: Install package checksums

Post by foldy »

Package checksums for Linux are used because packages are distributed from several servers. But FAH package is only distributed by FAH server. If you get FAH downloads from other servers then I would be suspicious.
alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Post by alpha23 »

@foldy, That is simple not just the only use case nor the reason why checksums are used. Otherwise it would be the case, for example, that he linux kernel developers (https://www.kernel.org/) are wasting their time signing packages downloaded from their servers. There are many packages that are uploaded to a server controlled by the software authors and the checksums and/or pgp signatures are provided.

My post was requesting the checksums (or pgp signature) rather than numerous individuals posting comments about their misunderstandings of checksums and attempting to explain why these are not needed.
bruce
Posts: 20824
Joined: Thu Nov 29, 2007 10:13 pm
Location: So. Cal.

Re: Install package checksums

Post by bruce »

You guys can disagree about checksums but I don't see how a debate I agree that an extensive debate about them adds anything useful to this support site.

It's the position of the FAH development staff that since all downloads MUST be obtained from the official site ... and that site is officially deemed as secure ... that checksums are unnecessary and would add nothing to the security of the download. You may be at risk if you find a copy elsewhere but that's prohibited by the EULA.
MeeLee
Posts: 1339
Joined: Tue Feb 19, 2019 10:16 pm

Re: Install package checksums

Post by MeeLee »

alpha23 wrote:@MeeLee, @Joe_H, While Windows users may not use checksums to verify their packages, Linux users do and it is standard practice. Downloading from FAH servers does not guarantee the package integrity which is the purpose of checksums/package signing. It appears that there is a lack of understanding of why this is important and how it works especially by the FAH team which does not post these. Checksums can easily be generated and posted on on a website where they cannot be spoofed. Alternatively, the packages could be signed via pgp to verify their integrity. This is also standard practice.

Obviously, I can choose to not run the software, which is what I will do until the package integrity can be verified, but that defeats the purpose of this conversation (@MeeLee, your comment regarding the same is frankly uncalled for). It is unfortunate because not including checksums/signed packages excludes the Linux admins, and others, who intelligently follow standard practices. The FAH team is losing out on computing resources. I alone have 2 video cards, capable of over 10 TFLOPs total, that are current bored because they have nothing to do but they are interested in donating to medical science. I was looking to expand this to at least 6 cards in the near future. Interestingly, the FAH program, to my understanding, uses checksums to verify the integreity download work units.
I use Linux without checksums, without any issue for several years now...
I see no issue why making it an issue now...
Proper Linux etiquette does not state that checksums are necessary.
Like Bruce said, the source is fah servers, what more security do you want? It's just a 10 or so Meg file. Linux programs aren't signed like windows drivers. You can't get fah from the repositories, only from direct install.
Use the Deb or rpm packages. Don't bother with make.
foldy
Posts: 2040
Joined: Sat Dec 01, 2012 3:43 pm
Hardware configuration: Folding@Home Client 7.6.13 (1 GPU slots)
Windows 7 64bit
Intel Core i5 2500k@4Ghz
Nvidia gtx 1080ti driver 441

Re: Install package checksums

Post by foldy »

Also www.kernel.org supports mirror sites. So you need the checksums from kernel.org to check if the binary packages of mirror sites match. Mirror sites for FAH are not supported.
alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Post by alpha23 »

The following is for FAH development staff (do not respond to this comment unless you are on the FAH development staff because it will add little value): I would urge you to reconsider your position as articulated by @bruce above as the assumptions made by your staff are in error. The following example illustrates the need for adequate checksums and/or signed packages (https://www.securitynewspaper.com/2016/ ... -saturday/). Moreover, there is the potential that your software could be modified during download, even if the possibility is remote. Finally, and while you will always find users who do not care or are un-knowledgable about security risks, it is standard practice for Linux admins to verify packages through checksums and/or signatures.

While I would like to contribute, for the benefit of medical research, through the usage of computing resources and electricity expenses, I will not run packages that cannot be verified.
JimboPalmer
Posts: 2522
Joined: Mon Feb 16, 2009 4:12 am
Location: Greenwood MS USA

Re: Install package checksums

Post by JimboPalmer »

I was the programmer for a 2000 person business. The auditors once wrote JimboPalmer writes all the programs we need but never attends our meetings. Can he come to our meetings? And I wrote back, is it more important than getting the programs you need?

Folding@home has a developer, writing all the PC and server code, which he must keep in sync. You wish to task him with book keeping, which will slow science .
Tsar of all the Rushers
I tried to remain childlike, all I achieved was childish.
A friend to those who want no friends
gbowman
Posts: 208
Joined: Fri Nov 30, 2007 9:51 pm

Re: Install package checksums

Post by gbowman »

You are correct that we only have so much bandwidth and have to make judicious choices about how to spend it. With regard to security, we've focused our efforts on features like signing cores to ensure that nobody can insert malicious code.
alpha23
Posts: 7
Joined: Tue Dec 24, 2019 6:02 am

Re: Install package checksums

Post by alpha23 »

@gbowman, Doesn't the development team use automated build tools such as Jenkins? After putting together the several lines of code to generate and publish a checksum during a build, there is no bandwidth required on subsequent builds.

Better yet, create a pgp keypair (done once), publish the public key to a key server (done once), and then sign the files via the private key during each build (done automatically via the build code). Only one line of code needed to sign.
Locked