recently I wanted to edit some sounds, and I went to download the Audacity right away. When browsing the site, I landed on this page https://www.audacityteam.org/download/online-safety-when-downloading/ .
I have been using GNU/Linux for a few years now, and there are always notes like, check the checksum or don’t forget to verify the source of download, but oh well, they mostly go unnoticed from my side as I rarely use any PPAs or download fishy binaries from the internet. Most of the time I go to, hopefully" official websites and try downloads from there or from official package manager repositories. The web page got me worried though, and my question is, is it really so usual that people get exploited by downloading binaries even from legitimately looking websites, or by not checking the checksums? Or is the warning mostly meant for beginners in browsing the Internet?
There are probably millions of fake websites on the Internet. It’s doubtful that any of them were created for good reasons.
There are many reasons why a checksum test might fail: the download may be incomplete, it may be a fake version, it may be an unofficial version…
If the checksum of the downloaded file matches the published checksum, then the downloaded file is identical to the file that the published checksum relates to.
You can also look up a checksum on VirusTotal. For example, this is the Audacity 2.4.2 Windows installer:
Shareware sites are notorious for bundling adware. Not all shareware sites do that, but many do. If you can only get a file from a shareware site (perhaps you need an old version for some reason and it is not available from the official website), and if you know what the checksum should be, then you can verify that the file you download is the file that you are expecting.
Thank you, those are quite valid points, which I forgot about or didn’t even know, for example the Shareware. Especially big thank you for such a quick reply (: