Suggestion: Direct download link for checksums?

fab161 · 20 March 2023 20:04

Hello everybody,

everytime I installed and used Ubuntu MATE in the past, it has been a nice experience. However, I do have a tiny issue with ubuntu-mate.org.
On the downloads page, Ubuntu MATE provides the sha256sums for the ISO files written out. As I always check the verifications sums of ISO files, I want to use for hardware installs, I've found this very inconvenient:

Manually comparing a checksum can easily suffer from (my) human errors. For that reason, I'd love to see Ubuntu MATE providing an additional direct download link for the checksum file. Downloading the checksum file makes it possible to easily verify an image using the --check flag for the sha256sum utility.

If somebody wants to verify an image depends on their level of trust in the source said image. Personally, I see the verification process as a responsibility I have as an user.

Sure, I could search for the right directory based on the ISO download link, but is this really user friendly? I'd love to see this becoming as 'hassle free' as possible as it's always good to lower the barrier (not only) for new users. Providing a direct link could be an addition, as it doesn't have to replace the current presentation.

Again: Thank you for developing and supporting Ubuntu MATE!

Best regards,
Fabian

pavlos_kairis · 20 March 2023 20:16

click on Browse Downloads, select your arch, and it lists both iso and sha256.

you can just copy link and get it with wget or curl.

fab161 · 20 March 2023 20:21

Thank you for the reply.
I've checked that option already and in the 22.04 and Jammy directories I could only choose between arm64 and armhf (not amd64).

Edit: Found some useful stuff in the 'archived' directory... Probably that would work. Personally, I think this is not too straight forward.

Bombilla · 21 March 2023 00:38

Welcome @fab161 to the community!

colinux · 22 March 2023 09:00

if you download and update your mate iso files with zsync they are automatically checksummed without intervention required.

fab161 · 22 March 2023 09:07

Thank you for the reply. Could you explain this a little further? I am not familiar with zsync yet. However, I heard something similar about torrent downloads. Are these automatically verified as well?

colinux · 23 March 2023 20:45

zsync is a file transfer program to download files from
remote web servers. If a previous version of a file is available
locally, zsync will only download changed parts and hereby
minimise the download volume. The algorithm is the same as used by rsync(1), but zsync does not require any server software
(apart from a web server), nor does it need shell access.
Instead, it uses a control file (.zsync file) that describes the
file to be downloaded, which it uses to determine the blocks to
fetch. This file is created once on the server (and not for each
request) and sits next to actual file to download.
To use
sudo apt install zsync
Create a folder where you would want to save your iso.
From within that folder, right click and select open in terminal.
Copy and paste the following line into the opened terminal.
zsync http://cdimage.ubuntu.com/ubuntu-mate/daily-live/current/lunar-desktop-amd64.iso.zsync
Watch magic happen.

pavlos_kairis · 23 March 2023 20:59

colin ... typo ... sudo apt install zsync

colinux · 23 March 2023 23:22

oops!
edited corrected
thanks

luvPOGL · 28 March 2023 15:29

The easiest thing form me was to just copy the checksum and paste it into a blank .txt file which I save. Then I had it available to verify regardless of which method is being used to confirm the download.

The question you asked though did spark some "piggyback" questions of concern, for instance by adding a link as you suggest and an alternate method, doesn't it only open the door for greater security risk and user confusion?

From a recent user who transitioned from WIndows OS - after having a few copies stolen - it took me some time and frustration to navigate the already existing options for download verification and one point of concern that always arose was if the method I was using was specific to a certain download "flavor" as it seemed the information on the download sites for each version was inconsistent.

The best I found and still use is from here How to verify your Ubuntu download | Ubuntu - as I just determined it to be the most credible of all I scoured through.

The same trust you mention in downloading the .iso is the same trust the user has to put in to the checksum value they are given as "legitimate". What seems to make the most sense to me is if at the time you downloaded the .iso a unique identifier could be used to confirm legitimacy, but this still doesn't address the "trust" issues.

I wonder too if it is ever realized that when a person purchases a product from either a brick & mortar or online, it is not their job to ensure the validity of the product they buy. There is an inherent understanding between buyer and seller that what they are offering is legitimate for purchase. The seller has the responsibility to ensure that what is being offered is authentic and represented as such.

Regards,
#luvPOGL

Bombilla · 28 March 2023 16:07

Welcome @luvPOGL to the community!