In my last post I briefly mentioned MD5 hash checksums. If you don’t know what this is, the short version is that people who offer files for download also post the MD5 hash checksums of those files. This way, people who download the files can compute the checksums separately and see if they match. If so, the downloaders can be pretty positive the files weren’t tampered with (or that if they were tampered with, the person who did not only took the time to recalculate the checksums, but posted the tampered results).
It’s a great idea — and while it may not keep your files safe if you keep your checksums in the same place you keep your files (so the attacker can easily post both the bogus checksums and the bogus files), it at least lets your downloaders know they’ve correctly downloaded the entire file. This is really nice when you’re downloading large ISO images — you can verify the file, at least, is good before you start making coasters.
Unfortunately, Windows doesn’t offer built-in support for calculating or verifying checksums. However, there are a variety of little third-party apps that do. The one I’ve been using is Colony West Software’s DigestIT 2004. This little puppy is very useful, because it installs as a Windows Explorer shell extension. Simply right-click on a file and you get checkcum calculation and verification options at your fingertips. Best of all, it supports not only MD5 hashes but SHA-1, and it can work with multiple files at once. Very cool!
For a recent project, I needed to obtain copies of the current release of Red Hat Enterprise Linux. For the most part I had a very easy time with this, but there were a couple of aspects of the experience that proved to be extremely frustrating that I wanted to share.
Getting RHEL4 was simple: head over to Red Hat’s website, add the proper package to my cart, and check out. Once the purchase had been verified, I headed over to the download section of Red Hat Network to grab the ISO images. So far, so good; the Red Hat website could use a slight navigation refresh to make it a touch easier to use, and I suffered a delay in getting my purchase to go through thanks to a self-inflicted credit card handling incident, but all-in-all, it was straightforward and exactly what you’d expect to see in a modern e-commerce site.
My problems started when I created my RHN account and logged in to get my downloads. Like many online vendors, Red Hat gives you access to most (if not all) of their commercial offerings for download; when you make a purchase and get a subscription to a product, you get a subscription activation that entitles you to register that system and get updates for it. Here’s where I ran into problems, and my suggestions to Red Hat for fixing them:
- Highlight the products I’ve purchased. After I’ve purchased a product, the system should know what product entitlements I have. While giving me a list of all products is nice (see Figure 1), having some way to highlight the ones I’ve purchases (and would therefore be most likely to want to download) would be really useful. This is a minor gripe, granted, but given the multiple products and bundles Red Hat offers, it would make selecting the right downloads easier.
Figure 1: RHEL4 product channels
- Generate links that don’t die immediately. When you click on one of the products in Figure 1, you’re taken to a page that generates custom download links for you, along with the MD5 hash verification checksums (see Figure 2). On this page, Red Hat helpfully suggests that you use a download manager or use the command-line tools wget or curl (available from Linux, but versions are also available from Windows). Again, this is really useful advice — ISO images take time even when you’re sitting on top of a T-1. However — and this part proved to be a huge pain — the links you’re given are only good for a short amount of time before they expire and must be regenerated by relogging in to Red Hat Network and following the navigation links back to your product. I didn’t test it extensively, but it felt like they were good for around four hours. While four hours is adequate to download a single image, it’s not adquate to download the five installation images, the four source images, and the documentation DVD image, even if you’re on one of the better-than-a-T-1 cablemodem/DSL connections available today. So even if you follow their advice and use the automated tools, you’re still not going to get everything in one go. Worse, I found that they removed a file while it was being actively downloaded. Happily, I was using wget so I was able to resume the download (once I got the new URL). 4 hours? C’mon, give us at least 24. Better yet, don’t be stingy and give us 72 or 96 hours to complete our downloads — at least for files that haven’t been accessed yet.
-
Figure 2: RHEL4 download links
- I’m not even going to gripe about hiding the downloads in a registration-required section; I can perfectly understand why a company might want to do that, especially when their free product is available for anyone to anonymously download. But if you’re going to make it inconvenient to download files directly, at least make it so I can follow your directions and get my files downloaded without having to keep going through the inconvenient process to begin with.
