I was just running an update to Fedora using the superb dnf command. For the first time ever I noticed it caught a checksum error (on the kernel packages, no less!) and did a re-download automatically. Quite impressive, though a little surprised it was using md5 rather than SHA-256.
When doing a manual initial download (of an .iso for a distro, for example), I do like to quickly run the checksum, which I think is standard practice to include for most Linux projects, so that it can be checked.
I am curious how often other users do this if it has to be done manually, not just for .isos but for other manual installations too, that might occasionally be used, not from repos? Feedback appreciated, with thanks.
It happened to Linux Mint a while ago. I always check ISOs because sometimes it just downloads wrong and it saves a lot of headache with the live disc or the installed OS if it happened to do that.
If there’s a checksum I usually will though it’s great for things I need to depend on like a distro image.
They’re not really for security because they can’t prove if the Website was hacked but they can prove if the company repo is giving you something the Website doesn’t know about which is an indicator.
If i’m feeling extra spicy I sometimes download the file on a remote server and my local machine to see if the checksums match because I like to LARP as someone who’s important enough to target.