MD5sum for v1.2.6 for Windows

[chucky500]

Just downloaded v1.2.6 for Windows. What is the MD5 sum string?

When I checked http://www.winaddons.com/audacity-126, they give MD5: 6659A19FB809B0F5129B5198B82739DC and size 2.15MB, which I think is wrong. I have MD5 d59f24b86431eeb25281bce7817783f1 and SHA1 e2eb75ff817281dd8e21a3933ec0ebab9d0cd712, file size 2.12 MB (2,228,534 bytes).

I think MD5 and/or SHA1 strings should be posted with each download listing to ensure file integrity.

Thanks.

[waxcylinder]

The proper place to download Audacity is from: http://audacityteam.org/download/

WC

[chucky500]

Yes, I believe that is where I went (sourceforge).

So I'll download a second copy and compare it against the first one. That should be good enough to check against download corruption. Mirror corruption, yes, if I get a different mirror site. Suppose I got the same mirror, and the file at that mirror site had been corrupted somehow, fiddled with. Then downloading two copies from the same site and comparing would not catch the problem. That's why an official MD5 sum is necessary.

Admittedly a small file, but many sites are posting their MD5 sums. Large downloads, such as for OpenOffice, have MD5 and/or SHA1 available.

[Gale Andrews]

I'll add a Feature Request for that.


Gale

[chucky500]

Any news on the feature request?

[Gale Andrews]

Any news on the feature request?

We have been discussing it amongst ourselves recently (actually for LAME rather than Audacity) but the problems are:

a) we don't want to confuse Windows users by adding things the majority won't understand (I don't mean to be condescending, but checksums would have to be presented so they weren't seen as a mandatory part of installation).

b) MD5 is cracked/unsafe, but using something really secure like SHA-512 means that tools will be hard to find on Windows and/or will be user-unfriendly. SHA-1 is a reasonable compromise with tools available, but still theoretically breakable.



Gale

[chucky500]

I have been using digestIT 2004, which has MD5 and SHA1 checks. I don't know where one would go, without starting to dig, for SHA-512. But at least the tool I have is a good check. Thanks for the feedback.

[steve]

So I'll download a second copy and compare it against the first one. That should be good enough to check against download corruption.

Yes it should. Or you can ask here on the forum and I'm sure that someone would be happy to post their checksum. If it differs from yours then there's a problem. If it doesn't then it's a pretty reliable check.

Suppose I got the same mirror

There are no official mirror sites for Audacity. Audacity should be downloaded from the official site. Always go here to download Audacity: http://audacityteam.org/download/

the file at that mirror site had been corrupted somehow, fiddled with. Then downloading two copies from the same site and comparing would not catch the problem. That's why an official MD5 sum is necessary.

Lets say that there was a "fiddled with" version of Audacity on a seemingly authentic (but actually malicious) web site. (There are "fiddled with" versions of Audacity on the Internet). Lets also say that the site publishes a checksum.

So you go to the seemingly authentic website and download Audacity and the checksum and test it. As long as the malicious web site has published the checksum for the "fiddled with" version, how are you going to know that you've got a fiddled with version? Won't it give you a false sense of security?

Of course you could go to the official Audacity download page to get the checksum, but if you do that then you may as well download Audacity from there too, which eliminates the possibility of it being a "fiddled with" version.

[chucky500]

It may not be so much a problem with audacity (if it actually has only one site to download from, although my notes from Oct. 2009 indicate that I tried downloading from an alternate site (mirror) of http://softlayer.dl.sourceforge.net (doesn't seem to exist anymore) as a check (since I lacked an MD5/SHA-1 strings)).

My notes also from that timeframe show http://www.winaddons.com/audacity-126 giving a different MD5 and slightly larger size (2.15MB vs 2.12MB). Who knows what version of audacity they had. Looks like it is still there.

I think there have been some occasions where I've come across downloads that have various mirror sites around the world. You have to wonder what the odds are of encountering a corrupt version out there. So that's why I appreciate an official checksum to take care of that issue AND any download-process corruption, all in one fell swoop.

[Gale Andrews]

So I'll download a second copy and compare it against the first one. That should be good enough to check against download corruption.

Yes it should.

You would have to be very sure your browser or download manager really gave you a second copy. In practice they will give you the same copy from their cache unless you clear the cache or download list.

Or you can ask here on the forum and I'm sure that someone would be happy to post their checksum. If it differs from yours then there's a problem. If it doesn't then it's a pretty reliable check.

That would be better.

There are no official mirror sites for Audacity. Audacity should be downloaded from the official site. Always go here to download Audacity: http://audacityteam.org/download/

There are mirror locations listed on our download pages, though, in other words:
http://sourceforge.net/projects/audacity/files/

SourceForge will by default serve from the mirror closest to your detected location, but it has at least a dozen mirrors.

Also we do use my site for Audacity Windows / Mac downloads when both GoogleCode and SF links fail (as happened once for a short while), though the link is not advertised except for Windows "Nightly" alpha builds.

So you go to the seemingly authentic website and download Audacity and the checksum and test it. As long as the malicious web site has published the checksum for the "fiddled with" version, how are you going to know that you've got a fiddled with version? Won't it give you a false sense of security?

If they had an MD5 and we had an MD5, they could still make that spoof file have the same MD5. We shouldn't consider MD5.

Of course you could go to the official Audacity download page to get the checksum, but if you do that then you may as well download Audacity from there too, which eliminates the possibility of it being a "fiddled with" version.

There is still always the remote possibility of some sort of attack on the server. All you can say is the site owners would not deliberately offer a spoof version.

For large downloads such as an ISO, checksums also have a value in ensuring data integrity and completeness, apart from security considerations.

I think there is a good case for SHA-1 as a moderately secure compromise, just that it's not a priority, given all the other tasks involved in a release.



Gale