Feature #9043

Check whether BitTorrent clients do proper hash verification

Added by sajolida 2015-03-10 10:56:01 . Updated 2015-03-13 13:53:12 .

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Installation
Target version:
Start date:
2015-03-10
Due date:
% Done:

0%

Feature Branch:
Type of work:
Research
Blueprint:

Starter:
Affected tool:
ISO Verification Extension
Deliverable for:

Description

If they do and if you get a correct .torrent file from our website, then basic ISO verification using checksum is not need. In such a case we could consider skipping the ISO verification extension for Torrent downloads.


Subtasks


Related issues

Related to Tails - Feature #8832: Assistant: Removing signature from Torrent Rejected 2015-02-02

History

#1 Updated by sajolida 2015-03-10 15:54:08

But on the other hand people also offer third-party torrent, like this one from DistroWatch http://distrowatch.com/weekly.php?issue=20150309#torrent :(

#2 Updated by sajolida 2015-03-13 13:53:12

  • Status changed from Confirmed to Resolved
  • Assignee deleted (sajolida)

I did two things but couldn’t find any worrying news about that from the Internet:

  • A quick search using the keywords “bittorrent”, “hash”, “verification”, “security”, “implementation”, etc.
  • A search for “hash” and “verif” in the archived and unarchived Debian bugs for `transmission`, `azureus`, `bittornado`, `deluge`, `ktorrent`, `qbittorrent`.

Only `rtorrent` had bugs about “hash” (three), the most serious being #348017, fixed in 2007.

So this seems to be handled quite seriously.

I’m very tempted to propose to the user to choose between:

  • Either using the Firefox extension (which will do checksum verification).
  • Either BitTorrent download (which does checksum verification as well).

#3 Updated by sajolida 2015-03-13 13:54:24

  • related to Feature #8832: Assistant: Removing signature from Torrent added