This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Official checksums for current sav-linux-free-9.tgz

Dear Sophos Team,

Could you please post the checksums for the current Sophos Antivirus for Linux installation file? According to your download website

https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx

it is version 9.12.3.

Also, why don't you publish these checksums on your download website, as other software companies do? Saves customers the trouble to ask and Sophos Support the time to answer the same question over and over.

Many thanks,

Kai



This thread was automatically locked due to age.
Parents
  • Hello Kai,

    [I'm not Sophos]
    I know that checksums are popular but, frankly, what's the real benefit here? To check whether the download is incomplete or corrupted? Or that the download is genuine?

    Seems that Sophos doesn't really believe in publishing checksums for these downloads. They did so some time ago for certain products, unfortunately download and published checksum weren't always synchronized (presumably causing even more questions than the mere absence of the latter).

    Christian

  • Hi Christian,

    Many thanks for the quick response.

    Yes, exactly the purpose you described: Making sure that the file is ok, having something like a secure chain from the download website and its SSL certificate to a checksum of the file I want to download.

    I find it difficult to understand why a security company would not offer these basic means of file checking, and how they would want somebody to trust their products, be they free or paid for.

    From a practical side of things, they could just post the checksums of new versions on this very forum, making it easy for everybody interested to find it and verify. If there are different versions around and they cannot get them in sync they could just post a new checksum whenever a new version becomes available and the public would be able to find the correct checksum for the file they downloaded, for example in a sticky post.

    Hopefully, somebody from Sophos will read this, but the last time they responded to a checksum for Linux Sophos question seems to have been 20 months ago.

    Thanks again!

    Kai 

  • Hello Kai,

    security [...] basic means of file checking
    it gives IMO a false sense of security as it is too often applied in the opposite direction - if the checksum matches then the file is ok. The case of accidental corruption of the download aside (protocols and applications should ensure integrity in most cases, internal structures and dependencies make many of the remaining errors obvious, the chance that a flipped bit goes unnoticed and has harmful consequences is ...?)
    Keep in mind you just transfer the trust from the download to the checksum. You think the download might be compromised - how can you tell the checksum is genuine? Are community.sophos.com and downloads.sophos.com (or whatever) indeed independent sources? Wouldn't someone who is able to compromise the download also be able to compromise the checksum?

    I've never heard an official statement in this direction though (I just conjecture what could be the reason for not publishing checksums)

    Christian

Reply
  • Hello Kai,

    security [...] basic means of file checking
    it gives IMO a false sense of security as it is too often applied in the opposite direction - if the checksum matches then the file is ok. The case of accidental corruption of the download aside (protocols and applications should ensure integrity in most cases, internal structures and dependencies make many of the remaining errors obvious, the chance that a flipped bit goes unnoticed and has harmful consequences is ...?)
    Keep in mind you just transfer the trust from the download to the checksum. You think the download might be compromised - how can you tell the checksum is genuine? Are community.sophos.com and downloads.sophos.com (or whatever) indeed independent sources? Wouldn't someone who is able to compromise the download also be able to compromise the checksum?

    I've never heard an official statement in this direction though (I just conjecture what could be the reason for not publishing checksums)

    Christian

Children
No Data