Hello,

I downloaded KNOPPIX_V6.0.1CD-2009-02-08-EN.iso from a local FTP mirror, but it doesn't match the MD5 or SHA1 checksums. I tried using rsync to fix the downloaded file, trying both the local mirror and uni-kl.de, but it stayed the same. I then tried using BitTorrent, but again it said that it the download was 100% complete (i.e. it matches what everyone else has).

$ md5sum KNOPPIX_V6.0.1CD-2009-02-08-EN.iso
d642d524dd2187834a418710001bbf82 KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ cat KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.md5
e855cf1498247b5bf9b7ae8162eaa4d0 *KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ sha1sum KNOPPIX_V6.0.1CD-2009-02-08-EN.iso
13237673708006e4bad3131e883081af1262e3b9 KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ cat KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.sha1
6cf4b3c40dd040a31d72fb49a1b2d29e2ffad173 *KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ gpg --verify KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.md5.asc
gpg: Signature made Tue 10 Feb 2009 12:32:05 GMT using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

$ gpg --verify KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.sha1.asc
gpg: Signature made Tue 10 Feb 2009 12:32:27 GMT using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

Does anyone know what's going on here please?

Thank you.

My first impression when I saw you post was that you were seeing the well known problems with mirror downloads and corruption (actually a false translation as if it were a text file rather than a binary file). But I grabbed a copy with BitTorerent and it has the same problem, and my actual md5 is d642d524dd2187834a418710001bbf82, the same as yours. So I have to believe that Klaus made an error here. It would be pointless to speculate how he made the error. But there are reports that the people have the download working, so I think we should assume that since we both have the same matching computer md5 that we have good copies of the file.

I notice the md5 and sha1 hash files have been updated and now match the download. They are also signed correctly too, so everything now looks in order.


$ md5sum KNOPPIX_V6.0.1CD-2009-02-08-EN.iso
d642d524dd2187834a418710001bbf82 KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ cat KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.md5
d642d524dd2187834a418710001bbf82 *KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ gpg --verify KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.md5.asc
gpg: Signature made Tue 10 Feb 2009 19:54:16 GMT using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

$ sha1sum KNOPPIX_V6.0.1CD-2009-02-08-EN.iso
13237673708006e4bad3131e883081af1262e3b9 KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ cat KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.sha1
13237673708006e4bad3131e883081af1262e3b9 *KNOPPIX_V6.0.1CD-2009-02-08-EN.iso

$ gpg --verify KNOPPIX_V6.0.1CD-2009-02-08-EN.iso.sha1.asc
gpg: Signature made Tue 10 Feb 2009 19:54:26 GMT using DSA key ID 57E37087
gpg: Good signature from "Klaus Knopper <knopper@knopper.net>"
gpg: aka "Klaus Knopper <info@knopper.net>"
gpg: aka "Klaus Knopper <knoppix@knopper.net>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 0E57 3DA0 F139 69EF 1DD5 ACAA 3798 E3D7 57E3 7087

I notice the md5 and sha1 hash files have been updated and now match the download. They are also signed correctly too, so everything now looks in order.
The mirrors may have been updated (I'll take your word for that since I never use the mirrors any more), but the faster and less prone to problems torrent download does not seem to have been. It is still showing the original Feb 8 2009 date in the name, and that would seem to indicate that torrent feeders such as myself are still delivering the original incorrect md5 file with the torrent. He really should release a revised torrent file with a different date. Yea, it would take a little while for the pool of feeders to grow again, but having an incorrect torrent out there isn't good (I stopped feeding it as soon as you alerted us to the problem).

My advice to downloaders would be to still use the torrents, but use the md5 posted above rather than the one that comes with the download to check your ISO file. Not really needed for experienced torrent users as the BitTorrent protocol includes it's own checks, but I have seen some users abort the download prematurely (as soon as the display shows 100% but before the final block finishes) and not realize that they have an incomplete download.

but the faster and less prone to problems torrent download does not seem to have been.
Opps, let me revise this. From the date added (very late on the 11th) it does look like Klaus updated the torrents. But it's pretty strange that he kept the same name with the older date in the file, and I expect that may cause some conflicts with people who have the older version of the download and are still trying to feed.