MD5sum for v1.2.6 for Windows

[chucky500]

So I'll download a second copy and compare it against the first one. That should be good enough to check against download corruption.

Yes it should.

You would have to be very sure your browser or download manager really gave you a second copy. In practice they will give you the same copy from their cache unless you clear the cache or download list.
Gale

Yes, I've stubbed my toe on that...

Or you can ask here on the forum and I'm sure that someone would be happy to post their checksum. If it differs from yours then there's a problem. If it doesn't then it's a pretty reliable check.

That would be better.
Gale

Means wait... and hope someone answers (they probably will).

There are no official mirror sites for Audacity. Audacity should be downloaded from the official site. Always go here to download Audacity: http://audacityteam.org/download/

There are mirror locations listed on our download pages, though, in other words:
http://sourceforge.net/projects/audacity/files/

SourceForge will by default serve from the mirror closest to your detected location, but it has at least a dozen mirrors.

Also we do use my site for Audacity Windows / Mac downloads when both GoogleCode and SF links fail (as happened once for a short while), though the link is not advertised except for Windows "Nightly" alpha builds.

So you go to the seemingly authentic website and download Audacity and the checksum and test it. As long as the malicious web site has published the checksum for the "fiddled with" version, how are you going to know that you've got a fiddled with version? Won't it give you a false sense of security?

If they had an MD5 and we had an MD5, they could still make that spoof file have the same MD5. We shouldn't consider MD5.
Gale

Is this because MD5 can be hacked, as you mentioned Sept. 20? Otherwise, I would expect that a file is different in any of its bits would have a different MD5.

Of course you could go to the official Audacity download page to get the checksum, but if you do that then you may as well download Audacity from there too, which eliminates the possibility of it being a "fiddled with" version.

There is still always the remote possibility of some sort of attack on the server. All you can say is the site owners would not deliberately offer a spoof version.

For large downloads such as an ISO, checksums also have a value in ensuring data integrity and completeness, apart from security considerations.

I think there is a good case for SHA-1 as a moderately secure compromise, just that it's not a priority, given all the other tasks involved in a release.



Gale

Yes, I agree. If you could do an SHA-1, it would be helpful.

[steve]

There are mirror locations listed on our download pages, though, in other words:
http://sourceforge.net/projects/audacity/files/

SourceForge will by default serve from the mirror closest to your detected location, but it has at least a dozen mirrors.

Also we do use my site for Audacity Windows / Mac downloads when both GoogleCode and SF links fail (as happened once for a short while), though the link is not advertised except for Windows "Nightly" alpha builds.

All totally true, but my point being that if users always use one of the official download links then they are extremely unlikely to get a hacked version of Audacity, whereas if they download from "some other website" then the chances of getting a hacked version are IMHO dangerously high.

On this subject, what is the web site "download-audacity.com"? The so called "AudacitySetup.exe" file from that site is most certainly NOT Audacity, but in the absence of an Ad-blocker it will frequently come up as the first hit in a Google search for Audacity.

[Gale Andrews]

my point being that if users always use one of the official download links then they are extremely unlikely to get a hacked version of Audacity, whereas if they download from "some other website" then the chances of getting a hacked version are IMHO dangerously high.

We can never stop Audacity being downloaded elsewhere, however one of my arguments for providing a menu link from Audacity to update it is that once a genuine version has been obtained there should then be minimal danger of it being updated from a spoof site.

Another advantage of a checksum is that if a user says there is a trojan in it, we can say "here is the checksum of Audacity, try your download in this checksum tool <link>. If you don't get the same number then what you got isn't what we provide".

On this subject, what is the web site "download-audacity.com"? The so called "AudacitySetup.exe" file from that site is most certainly NOT Audacity, but in the absence of an Ad-blocker it will frequently come up as the first hit in a Google search for Audacity.

It's a malware site and their use of "Audacity" in the link and the ad text is an abuse of our trademark. I've been working with Google for months to finally get it removed from google.com but for whatever reason, they can't seem to kill it and they get slower and slower to respond on why they can't kill it.

Note we can never force removal of that ad from google.co.uk without separately registering the word "Audacity" with the copyright authorities in the UK then registering that UK "word" with Google.

And this is to say nothing about other search portals like Yahoo and Bing that come up with malware links when searching for "Audacity".


Gale