[SOLVED] Questions about download source and iso file size?

Support & Help Requests
,
#1

I am a bit embarrassed to ask, but I have been in a bit of a shocked state and super paranoid about iso downloads ever since Mint site was hacked.

I was downloading the 16.04 32 bit iso, and noticed that the link seems to be to cdimage.ubuntu dot com, the actual download is coming from weird looking d3f216qdpm0le3.cloudfront dot net? Is this normal and safe? (Ofcourse it is, right?) I remember seeing something similar earlier, but I never found out or fully understood clearly of what exactly is going on and, why is the download comming from such random location?

Also what made me even more confused I stopped the download and used the torrent instead. No problem there, everything went well, md5sum ok…but I noticed that the torrented iso image was 1,65G, which is odd since the direct download seems to be only 1,5G?! Atleast that what it seems to be in the cdimage.ubuntu site and when firefox starts downloading?

I would really appreciate if anyone could clarify the situation.

#2

you can check the download against the published MD5 sums. Assuming you downloaded it to your Downloads folder:

md5sum Downloads/ubuntu-mate-16.04-desktop-i386.iso

if your numbers match your good.

FYI: the reason it is coming from someplace else is the Ubuntu-Mate team is using a CDN to allow for high speed downloads.

If for some reason your downloading under Windows you can get the File Checksum Integrity Verifier from Microsoft.

5 Likes
#3

You can go to https://help.ubuntu.com/community/VerifyIsoHowto for help on verifying ISO
I personnally checked both md5sum and gpg signatures before installing 16.04, in light of what happened to Linux Mint one can’t be too careful.
If you don’t trust mirrors, and the Cloud, you can always use Torrent to get the ISO then check MD5 and to whom the GPG signature belongs.

4 Likes
#4

It’s good to take precaution :slight_smile: I just checked my copy of the ISO (torrent, verified) and spidered the one from cdimage.ubuntu.com.

They are both the same size, it looks different because of the two types of units:

  • 1.6 GB = SI Units = (1000 bytes = 1 kB)
  • 1.5 GiB (1.5G) = IEC Units = (1024 bytes = 1 KiB)

However, both files are exactly the same size:

To spider a URL on Ubuntu and get details without downloading it:

wget --spider http://cdimage.ubuntu.com/ubuntu-mate/releases/16.04/release/ubuntu-mate-16.04-desktop-i386.iso

From there it also reads:

HTTP request sent, awaiting response… 302 Found
Location: http://d3f216qdpm0le3.cloudfront.net/ubuntu-mate-16.04-desktop-i386.iso [following]

So to clarify what’s happening, the server is redirecting to the server that’s actually hosting the file.

3 Likes
#5

Thank you for your answers. I just checked and seems the download now links again to the cdimage.ubuntu.com site.

I think I now understand what is going on, and to sum the information, it is my understanding, that the Ubuntu cdimage site is the one doing the redirecting to the same file in the cloudfront location. This is apparently done if there is a lot of traffic to the main site, so that downloads would not get slowed down too much. I can understand this, although I must say that I think it is confusing and I think it should be stated in the site (cdimage.ubuntu.com that is) that this is done and explained why it is done. However I don’t think it is something that Ubuntu Mate team can do something about as it is not Ubuntu Mate’s own site.