Search Unity

  1. Megacity Metro Demo now available. Download now.
    Dismiss Notice
  2. Unity support for visionOS is now available. Learn more in our blog post.
    Dismiss Notice

MD5 sums with deb packages

Discussion in 'Linux' started by jimmikaelkael, Sep 17, 2015.

  1. jimmikaelkael

    jimmikaelkael

    Joined:
    Apr 27, 2015
    Posts:
    791
    Hi,

    It's great to see Unity Editor on my favourite OS, but here's my experience.

    It happened me twice to download a corrupted Unity deb package. @natosha.bard it would be great to provide the MD5 sums for every deb package you are providing.

    I think linux users will apreciate it as they like to check freshly downloaded packages to ensure they are working with a clean file, especially with installable packages.

    Keep up Unity Team, it's great!
     
    ma1onso likes this.
  2. josefnpat

    josefnpat

    Joined:
    Apr 17, 2013
    Posts:
    10
    +1, but with SHA256's. (MD5's are easy attack vectors when considering mirrors)

    I too have limited internet access, and download these binaries at remote locations. It would be nice to compare SHA256's against what I download at a local wifi access point, so I know when I get home I have the right binary.

    If you are familiar with arch's AURs, you know that the PKGBUILD validates with hashes as a part of the verification process. I know there was some discussion in the comments for the `unity-editor`AUR about how the SHA256 changed at one point for the EULA, this invalidating the AUR. Having a set SHA256 would also encourages archived builds to go untouched to provide a better baseline.

    Also, supplying an "official SHA256" would allow for folks to trust mirrors.

    Here are the SHA256 sums:

    Code (csharp):
    1. bf73e7693ae15b271dbbd55010eb33fae3400b964fa4b70289bd5a17d19d5493  unity-editor-installer-5.1.0f3+2015082501.sh
    2. 39aaa61d7a35c12329f69a7952ae6f6a1685c8d9125238de60979ba56aae769e  unity-editor-installer-5.1.0f3+2015090301.sh
    3. 77b351d80fc4b63284f118093df486e16c13d7b136debae6534245878029a5ca  unity-editor-installer-5.1.0f3+2015091501.sh
    Here are the MD5 sums:

    Code (csharp):
    1. dbe1ddc9ebc999b6b538829a90df99a8  unity-editor-installer-5.1.0f3+2015082501.sh
    2. 195b97e5fcaa77f70508b33e336c6a94  unity-editor-installer-5.1.0f3+2015090301.sh
    3. b928749963a3bd854ad535371d5dbe87  unity-editor-installer-5.1.0f3+2015091501.sh
    I will update these values as I download them if @natosha.bard decides against posting the hash sums the main information thread.
     
    Last edited: Sep 21, 2015
    Ryiah, fjalla and zak-reynolds like this.
  3. fjalla

    fjalla

    Joined:
    Nov 6, 2012
    Posts:
    73
    I would like comment on this. Yes, there were issues with checksums for the EULA, but we were extracting it from a webpage, and the webpage had some web tokens on it that changed over time (and quite quickly), changing the checksums with it. It had nothing to do with the package.

    That said, having SHA256SUMs from official sources (and a plaintext EULA!) available on build publish would help, but we would still not be able to just push the checksums into the package without downloading it, since we are obliged to build and test the package before publishing it, or risk sending out a broken and unusable package. But it would help prevent user errors, thus making the package more stable.

    Anyway, thanks @josefnpat for providing the checksums. I'll double check on them before updating the PKGBUILD.
     
  4. t_w

    t_w

    Joined:
    Aug 4, 2015
    Posts:
    55
    ++1
     
  5. mipesom

    mipesom

    Joined:
    Apr 26, 2014
    Posts:
    1
    +1, checksums would be great!
     
  6. josefnpat

    josefnpat

    Joined:
    Apr 17, 2013
    Posts:
    10
    That explains the EULA issues. I figured that the EULA was being updated, but I didn't realize it was the tokens on the page that was causing the change.

    No problem, but I wouldn't count on me being able to deliver the checksums when the binaries come out. In fact, the last checksum I pulled from your AUR package :) Thanks for all your effort for maintaining the AUR package!

    Anyway, I have downloaded the most recent binary, and have updated my post with the newest MD5 for @jimmikaelkael .
     
    fjalla and jimmikaelkael like this.