Invalid checksum for 8.0.1 Linux updater

Report · Oct 19, 2009

I hope someone from Adobe is reading this - on the updates page http://www.adobe.com/support/coldfusion/downloads_updates.html the MD5 Checksum for 8.0.1 Linux updater http://download.macromedia.com/pub/coldfusion/updates/801/coldfusion-801-lin_updater.bin is listed as c6236308a801413fd2c8a684acd952a5, but evaluates to b4168c06af489b479c6249b8e3bb7728. Strangely, checksums for all other updaters (Windows, Solaris and Mac OS X) are OK.

Report · Oct 19, 2009

One other thing: I wonder why Adobe still uses MD5 checksum when it was abundantly shown that it does not guarantee code integrity? See, e.g., http://www.mscs.dal.ca/~selinger/md5collision/ where Peter Selinger demonstrate how an ubiquitous "Hello, World!" and (mock) disk erase program can both have the same MD5 checksum. So even if checksum calculated OK we would be essentially trusting that no one has big enough gripe against Adobe (or no script kiddie is sufficiently bored) to sabotage any product on the download page. (Yes, I know that this is a bit more complicated and would involve poisoning DNS cache and/or faking CA certificate, but it is possible).

So, is anyone listening?