The BitTorrent downloads are recommend on the download page. I’ve never downloaded anything via BitTorrent as I’ve been led to believe that you can download all kinds of unwanted (malware) things that way. So here’s the question for someone who really understands the technology and the security issues - how safe/dangerous is it to download ubuntu-mate ISOs via these BitTorrent-links?
I can’t believe for one moment that the project would expose us to risk when downloading the ISOs, but I’d like to hear (or rather read) the explanation.
Would any of the wise be kind enough to enlighten me?
Hi
You’ll be completely safe downloading from the links of the UM download page.
All sorts of things can be downloaded via torrents, including great linux distros - go for it!
Also, downloading iso via torrent eases the load on the UM download servers - you only have to download a little torrent file, rather than a great big iso, your torrenting program will do the rest.
BitTorrent is a perfectly safe (sometimes quicker) way to download files, I'll compare the two:
HTTP Download
This asks the web server for the file, and your web browser downloads it from that one source. Speed will vary between your connection and server. Bandwidth isn't free neither, so there is a slight cost to the project for all the bytes needed to send the file to you. That's why BitTorrent is preferred where possible.
------------->
Security: It's highly unlikely to happen, but if your connection is involved in a man-in-the-middle attack, the web browser could be downloading a modified version. That's where checksums come into place, which I'll describe further below.
BitTorrent Download
Instead of downloading from one source, your BitTorrent client securely connects to other clients who are sharing the same file. You could be downloading from your next door neighbour for all we know. Your client asks others for different pieces of the file you don't have so they can be transferred to you, and vice versa -- others who are looking for a piece of the file that you have but they don't, can have that piece too.
This approach requires you to upload too. Since there can be many sources, this can greatly accelerate the speed of the download. Ubuntu MATE's torrents also have web seeds, so there's always a server to provide the files if nobody is around to seed.
While you are downloading and haven't quite got the full yet, you are considered a leecher.
As soon as you have everything, you become a seeder.
It's a good idea to upload as much as you downloaded so others benefit too - at minimum a 1.0 ratio. Others may be generous keep their clients running under they achieve a 1.5 or 2.0 ratio. Those who don't bother seeding may feel guilty for not giving back as much as what others gave to them. That's how some torrents may end up dead with no seeders and too many leechers.
--|
--| <-------->
--|
Security: BitTorrent verifies data as it's downloaded, so if a piece doesn't match, then it will download it again from another source. Nothing malicious can get through as it is checksummed, not unless it was a dodgy torrent to begin with.
Checksums
The file is either exactly the same or it's different. It's the foolproof way to know if the file is an exact replica or had been modified along the way. The download page has a link to these checksums, and you can use a utility to verify them.
This is also recommended, as the page states:
If you direct download the .iso image please make sure the [appropriate MD5 hash][1] matches.
Under Ubuntu, you can use the md5sum
command:
md5sum /home/user/desktop/ubuntu-mate-15.10-desktop-amd64.iso
If the checksum matches, it's a perfect clean copy, otherwise, it's been modified -- sometimes could be caused by failing hardware or a broken download.
[1]: http://cdimage.ubuntu.com/ubuntu-mate/releases/15.10/release/MD5SUMS
Downloading a torrent file is not, in itself, dodgy. It is only dodgy if you download it from a dodgy website. Thus, if you download the official UM torrent, you will be absolutely fine.
The on-board torrent client in UM is Transmission. However, I have always found Qbittorrent to work better.
If you wanted to use Qbittorrrent, you can install it from a terminal with the following command:
sudo apt-get install qbittorrent
Though, I should add, Transmission works okay and also is a lot simpler to use for someone new to torrentlng.
@lah7 Nice explanation
I would like to highlight that MD5 is not very collision resistant, which means that even if the checksum matches, it is quite possible that the file may have been modified.
Using SHA-256 or SHA-512 as the checksum is a better option due to their much better collision resistance, although it doesn’t really matter in this case since the torrent file hosted on the Ubuntu MATE website has web seeds
My understanding is that torrents do their own built-in MD5 tracking, so you don’t need to worry about this aspect when using torrents as opposed to ‘straight’ downloads.
Thank you all for taking the time to reply. Your explanations make perfect sense, and, as far as ubuntu-mate is concerned I will use the torrents in the future.
Once I have the current 32 & 64 bit ISOs (previously via HTTP) I transfer them to two usb sticks using wimpy’s dd wrapper and then carry them with me on my travels. If any one shows an interest in GNU/Linux guess what…