Feature #9043
Check whether BitTorrent clients do proper hash verification
Start date:
2015-03-10
Due date:
% Done:
0%
Description
If they do and if you get a correct .torrent file from our website, then basic ISO verification using checksum is not need. In such a case we could consider skipping the ISO verification extension for Torrent downloads.
Subtasks
Related issues
Related to Tails - |
Rejected | 2015-02-02 |
History
#1 Updated by sajolida 2015-03-10 15:54:08
But on the other hand people also offer third-party torrent, like this one from DistroWatch http://distrowatch.com/weekly.php?issue=20150309#torrent :(
#2 Updated by sajolida 2015-03-13 13:53:12
- Status changed from Confirmed to Resolved
- Assignee deleted (
sajolida)
I did two things but couldn’t find any worrying news about that from the Internet:
- A quick search using the keywords “bittorrent”, “hash”, “verification”, “security”, “implementation”, etc.
- A search for “hash” and “verif” in the archived and unarchived Debian bugs for `transmission`, `azureus`, `bittornado`, `deluge`, `ktorrent`, `qbittorrent`.
Only `rtorrent` had bugs about “hash” (three), the most serious being #348017, fixed in 2007.
So this seems to be handled quite seriously.
I’m very tempted to propose to the user to choose between:
- Either using the Firefox extension (which will do checksum verification).
- Either BitTorrent download (which does checksum verification as well).
#3 Updated by sajolida 2015-03-13 13:54:24
- related to
Feature #8832: Assistant: Removing signature from Torrent added