If they do and if you get a correct .torrent file from our website, then basic ISO verification using checksum is not need. In such a case we could consider skipping the ISO verification extension for Torrent downloads.
#1 Updated by sajolida over 4 years ago
But on the other hand people also offer third-party torrent, like this one from DistroWatch http://distrowatch.com/weekly.php?issue=20150309#torrent :(
#2 Updated by sajolida over 4 years ago
- Status changed from Confirmed to Resolved
- Assignee deleted (
I did two things but couldn't find any worrying news about that from the Internet:
- A quick search using the keywords "bittorrent", "hash", "verification", "security", "implementation", etc.
- A search for "hash" and "verif" in the archived and unarchived Debian bugs for `transmission`, `azureus`, `bittornado`, `deluge`, `ktorrent`, `qbittorrent`.
Only `rtorrent` had bugs about "hash" (three), the most serious being #348017, fixed in 2007.
So this seems to be handled quite seriously.
I'm very tempted to propose to the user to choose between:
- Either using the Firefox extension (which will do checksum verification).
- Either BitTorrent download (which does checksum verification as well).