I'm trying to figure out how to verify an .ISO I just downloaded from . I've done this before, but there seem to be more steps now. This is painfully complicated. Is there some way we can make this easier for Jo User to understand the benefits of, and to do, the first time they are figuring out how to dual-boot ?

@strypey Tangent: I confess, you post so much about tech I have a hard time thinking of you as Joe User 😂 and maybe that's a problem in itself, that caring about tech and using software products that aren't from mega-corporations is considered the sole domain of techies.

@lj_writes my programming and sysadmin skills are very limited, definitely Joe User compared to a lot of the geeks who hang out in the fediverse. That said, this isn't my first rodeo (I first installed GNU/Linux in the early 2000s), and I'm no longer the Jo User I described. I definitely remember that experience though, which is why I'm always banging on about the importance of . There will always be new users learning computer basics for the first time.

@MatejLach 1) that's only half the process now (you also have to check the signature of the sha512sum), and 2) that's not too hard for me, having got pretty confident with looking up and following instructions on basic CLI tasks, but incredibly confusing for the Jo User I described.

@strypey @MatejLach I first followed such steps much later than yourself and, likely being somewhere between Joe User and yourself can confirm that the first time one comes upon such instructions for a distribution you hope may be a step towards getting more familiar with the command line, many a user will feel stupid and discouraged. It is likely that most could continue with the install, but they may feel unsure they have done it right and rather nervous about the listed dangers.

@strypey @MatejLach

Hmm... I've always understood the instructions you linked as "check the SHA sums, and if you care about malicious attackers modifying the iso and checksums on purpose, you can also check the signature on the checksums".

I guess they could just serve the SHAs over https from one of their servers which they trust the most, or even put them on the instructions page itself, though I don't know how often new versions of the ISOs are released.

@Wolf480pl how about a GUI app you can download from a reliable repository (ie *not* an .EXE / .DMG / .RPM /.APK / from a web page), that allows a user to choose a distro/verson, then downloads it, verifies it, checks signatures, and makes it into a / ?

@strypey @MatejLach Well, that'd certainly help in some threat models, in particular when the user already trusts the store of whatever system they're already using.

OTOH, it can cause some issues:
- it may seem like you're endorsing the store
- the store gets some control over the distro (eg. can pressure the distro by threatening to remove them from the store)
- it's important to explain in which cases it's secure to use the store app, and in which it's not.

@strypey The link you posted here does not mention any steps at all. In fact, I consider this a case of egregiously bad documentation.

documentation, that tells a user he/she _should_ do something but does not tell _how_.

It does not have to be painfully complicated, it just needs more empathy from the people writing the documentation.

@lilo I agree. I figured it out in the end, but the documentation only gave me about half of the information I needed to do so. Not having links in the documentation to the relevant pages where the sha512sum files and .sign files could be found was annoying.

Sign in to participate in the conversation
Mastodon - NZOSS

This Mastodon instance is provided gratis by the NZ Open Source Society for the benefit of everyone interested in their own freedom and sharing with others. Hosting is generously provided by Catalyst Cloud right here in Aotearoa New Zealand.