Search Unity

  1. Curious about what's going to be in 2021.1? Have a look at the 2021.1 beta blog post.
    Dismiss Notice

MD5 sums with deb packages

Discussion in 'Linux Editor' started by jimmikaelkael, Sep 17, 2015.

  1. jimmikaelkael


    Apr 27, 2015

    It's great to see Unity Editor on my favourite OS, but here's my experience.

    It happened me twice to download a corrupted Unity deb package. @natosha.bard it would be great to provide the MD5 sums for every deb package you are providing.

    I think linux users will apreciate it as they like to check freshly downloaded packages to ensure they are working with a clean file, especially with installable packages.

    Keep up Unity Team, it's great!
    amarok-blue likes this.
  2. josefnpat


    Apr 17, 2013
    +1, but with SHA256's. (MD5's are easy attack vectors when considering mirrors)

    I too have limited internet access, and download these binaries at remote locations. It would be nice to compare SHA256's against what I download at a local wifi access point, so I know when I get home I have the right binary.

    If you are familiar with arch's AURs, you know that the PKGBUILD validates with hashes as a part of the verification process. I know there was some discussion in the comments for the `unity-editor`AUR about how the SHA256 changed at one point for the EULA, this invalidating the AUR. Having a set SHA256 would also encourages archived builds to go untouched to provide a better baseline.

    Also, supplying an "official SHA256" would allow for folks to trust mirrors.

    Here are the SHA256 sums:

    Code (csharp):
    1. bf73e7693ae15b271dbbd55010eb33fae3400b964fa4b70289bd5a17d19d5493
    2. 39aaa61d7a35c12329f69a7952ae6f6a1685c8d9125238de60979ba56aae769e
    3. 77b351d80fc4b63284f118093df486e16c13d7b136debae6534245878029a5ca
    Here are the MD5 sums:

    Code (csharp):
    1. dbe1ddc9ebc999b6b538829a90df99a8
    2. 195b97e5fcaa77f70508b33e336c6a94
    3. b928749963a3bd854ad535371d5dbe87
    I will update these values as I download them if @natosha.bard decides against posting the hash sums the main information thread.
    Last edited: Sep 21, 2015
    Ryiah, fjalla and zak-reynolds like this.
  3. fjalla


    Nov 6, 2012
    I would like comment on this. Yes, there were issues with checksums for the EULA, but we were extracting it from a webpage, and the webpage had some web tokens on it that changed over time (and quite quickly), changing the checksums with it. It had nothing to do with the package.

    That said, having SHA256SUMs from official sources (and a plaintext EULA!) available on build publish would help, but we would still not be able to just push the checksums into the package without downloading it, since we are obliged to build and test the package before publishing it, or risk sending out a broken and unusable package. But it would help prevent user errors, thus making the package more stable.

    Anyway, thanks @josefnpat for providing the checksums. I'll double check on them before updating the PKGBUILD.
  4. t_w


    Aug 4, 2015
  5. mipesom


    Apr 26, 2014
    +1, checksums would be great!
  6. josefnpat


    Apr 17, 2013
    That explains the EULA issues. I figured that the EULA was being updated, but I didn't realize it was the tokens on the page that was causing the change.

    No problem, but I wouldn't count on me being able to deliver the checksums when the binaries come out. In fact, the last checksum I pulled from your AUR package :) Thanks for all your effort for maintaining the AUR package!

    Anyway, I have downloaded the most recent binary, and have updated my post with the newest MD5 for @jimmikaelkael .
    fjalla and jimmikaelkael like this.