Official checksums for current sav-linux-free-9.tgz

RE: Official checksums for current sav-linux-free-9.tgz

DMatthew — Wed, 07 Feb 2018 11:11:35 GMT

Kai, I fully agree and share your concerns and frustrations. Checksums are common place and have stood the test of time. I am certainly baffled that Sophos does not provide this to help ensure their installers have not been tampered with by a 3rd party (not a new concept). I would add though that the installer and checksum info should come from two different server sites (and keeping the downloader and checksum in sync really should not be that difficult, either).

The last time I wanted to install Sophos I saw this same old thread that has essentially been ignored. I ended up just turning away and giving up on it.

RE: Official checksums for current sav-linux-free-9.tgz

QC — Fri, 07 Jul 2017 07:37:29 GMT

Hello Kai,

security [...] basic means of file checking
it gives IMO a false sense of security as it is too often applied in the opposite direction - if the checksum matches then the file is ok. The case of accidental corruption of the download aside (protocols and applications should ensure integrity in most cases, internal structures and dependencies make many of the remaining errors obvious, the chance that a flipped bit goes unnoticed and has harmful consequences is ...?)
Keep in mind you just transfer the trust from the download to the checksum. You think the download might be compromised - how can you tell the checksum is genuine? Are community.sophos.com and downloads.sophos.com (or whatever) indeed independent sources? Wouldn't someone who is able to compromise the download also be able to compromise the checksum?

I've never heard an official statement in this direction though (I just conjecture what could be the reason for not publishing checksums)

Christian

RE: Official checksums for current sav-linux-free-9.tgz

Kai S — Fri, 07 Jul 2017 05:30:27 GMT

Hi Christian,

Many thanks for the quick response.

Yes, exactly the purpose you described: Making sure that the file is ok, having something like a secure chain from the download website and its SSL certificate to a checksum of the file I want to download.

I find it difficult to understand why a security company would not offer these basic means of file checking, and how they would want somebody to trust their products, be they free or paid for.

From a practical side of things, they could just post the checksums of new versions on this very forum, making it easy for everybody interested to find it and verify. If there are different versions around and they cannot get them in sync they could just post a new checksum whenever a new version becomes available and the public would be able to find the correct checksum for the file they downloaded, for example in a sticky post.

Hopefully, somebody from Sophos will read this, but the last time they responded to a checksum for Linux Sophos question seems to have been 20 months ago.

Thanks again!

Kai

RE: Official checksums for current sav-linux-free-9.tgz

QC — Thu, 06 Jul 2017 07:01:08 GMT

Hello Kai,

[I'm not Sophos]
I know that checksums are popular but, frankly, what's the real benefit here? To check whether the download is incomplete or corrupted? Or that the download is genuine?

Seems that Sophos doesn't really believe in publishing checksums for these downloads. They did so some time ago for certain products, unfortunately download and published checksum weren't always synchronized (presumably causing even more questions than the mere absence of the latter).

Christian