Why would I check my download against a checksum provided by a mirror site?

Why would I check my download against a checksum provided by a mirror site? I thought the point of distributing md5 checksums was so the end user could verify the integrity of the download.
Asked by: Guest \| Views: 285

Total answers/comments: 2

Comments display order:

Guest [Entry]

"You are right in your expectation.
Check this example at Apache.

And this Ubuntu md5sum reference.

In terms of security, cryptographic hashes such as MD5 allow for authentication of data obtained from insecure mirrors.
The MD5 hash must be signed or come from a secure source (an HTTPS page) of an organization you trust."

Guest [Entry]

"Usually, ethical mirrors doesn't want to be interpreted as ""spoof"" ones. They want to be mirrors because of visibility among other advantages.

They show checksums as the authorative source do to give them some sort of credibility: ""hey, we recommend you to check your checksums as the official website says!"".

I believe this is the mirror's POV. As a user, I usually check with both sources."