Feature #9043: Check whether BitTorrent clients do proper hash verification

Feature #9043

Check whether BitTorrent clients do proper hash verification

Added by sajolida 2015-03-10 10:56:01 . Updated 2015-03-13 13:53:12 .

Status:

Resolved

Priority:

Normal

Assignee:

Category:

Installation

Target version:

Start date:

2015-03-10

Due date:

% Done:

Feature Branch:

Type of work:

Research

Blueprint:

Starter:

Affected tool:

ISO Verification Extension

Deliverable for:

Description

If they do and if you get a correct .torrent file from our website, then basic ISO verification using checksum is not need. In such a case we could consider skipping the ISO verification extension for Torrent downloads.

Subtasks

Related issues

Related to Tails - ~~Feature #8832~~: Assistant: Removing signature from Torrent

Rejected

2015-02-02

History

#1 Updated by sajolida 2015-03-10 15:54:08

But on the other hand people also offer third-party torrent, like this one from DistroWatch http://distrowatch.com/weekly.php?issue=20150309#torrent :(

#2 Updated by sajolida 2015-03-13 13:53:12

Status changed from Confirmed to Resolved
Assignee deleted (~~sajolida~~)

I did two things but couldn’t find any worrying news about that from the Internet:

A quick search using the keywords “bittorrent”, “hash”, “verification”, “security”, “implementation”, etc.
A search for “hash” and “verif” in the archived and unarchived Debian bugs for `transmission`, `azureus`, `bittornado`, `deluge`, `ktorrent`, `qbittorrent`.

Only `rtorrent` had bugs about “hash” (three), the most serious being #348017, fixed in 2007.

So this seems to be handled quite seriously.

I’m very tempted to propose to the user to choose between:

Either using the Firefox extension (which will do checksum verification).
Either BitTorrent download (which does checksum verification as well).

#3 Updated by sajolida 2015-03-13 13:54:24

related to ~~Feature #8832~~: Assistant: Removing signature from Torrent added