AKA, What good is a checksum, anyhow?

A lot of download sites present checksums for you to check that what they host is actually what you download. I, for one, have always been dubious of such measures, and the recent Linux Mint breach proves what I’ve always suspected.

In fact, it is quite clear from various articles like “Backdoored Linux Mint, and the Perils of Checksums” and “Lesson from Linux Mint breach: Trust is not enough” that checksums are a waste of time. If someone is savvy enough to change the download link of the file to be downloaded, then they are savvy enough to check the checksums as well.

Most Linux distributions I know use PGP to sign downloads and updates. Just having the media available on the official site is not good enough. Even though many do have PGP signatures, they need to make the public keys easily findable, something that most simply do not make a sincere effort at. It does no good to sign them if the keys are not available.

Of course, Linux Mint failed on several other fronts, including weak passwords on their forum database that were easily findable. The fact that they have not learned to use more sophisticated passwords is troubling indeed, and you would think those lessons would have already been learned.