Linux Mint 18 “Sarah” Cinnamon released!

[kost]

I am using ubuntu. I want to download linux mint. Can I follow these instructions https://linuxmint.com/verify.php from ubuntu in order to verify the linux mint iso??

[Pjotr]

I am using ubuntu. I want to download linux mint. Can I follow these instructions https://linuxmint.com/verify.php from ubuntu in order to verify the linux mint iso??

Probably within Ubuntu as well, yes.

Note that this is the simple method for checking (only for corruption checking, not for authenticity checking):
https://sites.google.com/site/easylinux ... -SHA256sum
(item 12, right column)

[kost]

I am using ubuntu. I want to download linux mint. Can I follow these instructions https://linuxmint.com/verify.php from ubuntu in order to verify the linux mint iso??

Probably within Ubuntu as well, yes.

Note that this is the simple method for checking (only for corruption checking, not for authenticity checking):
https://sites.google.com/site/easylinux ... -SHA256sum
(item 12, right column)

Thank you.

[Reorx]

SHA256SUM is a reasonable replacement for MD5SUM (IMO). I don't really feel a need for the more complex new method of "authentication"

You're right: I overlooked the fact that with sha256sum a simple corruption check is still possible, without the complicated gpg hoops. Thanks for the reminder.

You're welcome my friend!

The sha256sums are indeed far too hidden...

I also think, that the procedure is at now far too complicated to do for the average user...

Things would get somehow easier, if...

...Mint is made with the idea of a easy to use GUI; it is absolutely inconsistent, that the very first step to get Mint and proof its validity gives the need to use the terminal, where numerous users already panic, if they only open it.

I agree!

1) SHA256SUMs should be published on the D/L page for every ISO
2) In addition to MD5, SHA256 and pgp checking should be included in the file manager point & right click pop-up menu.

[Cosmo.]

2) In addition to MD5, SHA256 and pgp checking should be included in the file manager point & right click pop-up menu.

SHA256 can be already checked from the file manager (at least Nemo) in LM 18; in this case MD5 would be pointless. I can imagine, that Clem does not want to provide the MD5sums any more, because they would lead to a wrong assumption about integrity. For LM 17 users installing the nemo-gtkhash plugin would be a solution.
The gpg check could be done with the nemo-seahorse plugin, if it would get this feature added. At now it is only able to encrypt / decrypt files (rather pointless for users, who do not use gpg actively and have not created an own key-pair). And of course it would be needed to have it pre-installed, as a new user would near to sure not know, how to get it working.

[xox101]

I have been running the Beta since it came out, very happy with it as well, but I notice a couple of the icons under Menu like Administration and Preferences are still in Mint 17 style. The icons in the screenshot at the top of the blog post announcing the release of Mint 18 stable are completely different.

And no Level 1 updates either.

Running Cinnamon.

Edit. After updates this morning Mint Y theme is now working with the correct icons. Weird.

[Cosmo.]

I invested this afternoon some time to think about the gpg / sha256 / verify issue and came to the conclusion, that there is a problem, that needs urgently to get resolved out of 2 reasons:

Reason 1: As it appears now, with the sha256sum-files, which appear hidden like a state secret, and an advice, which is obviously not understandable by some novice users, the purpose of this (in principle good) idea gets lost. It is simply a fact, that the users skip this part silently, and proceed with installation. This is obviously counterproductive against the goal of this added security step.

Reason 2 (and in the long run even more problematic): All who have used Mint since more than just a few days know, that Mint is (one of) the most user friendly Linux distribution at all. But outside of the Linux world - and the far majority of human mankind has never seen a running Linux desktop themselves - there are much rumors, that Linux can only be used by IT-experts who are able to use terminal and command-line similar, as most people are able to turn their coffee-machine on. When I speak with such people and tell them and show them, that there comes no terminal in sight, if I do the same things, what they do with their Windows-boxes, they get great eyes and don't understand, why other people spread those obviously wrong rumors.

Now take one of those people and convince them, to try Mint (18). What do they get: An advice, which is obviously only doable inside a terminal; that although Clem avoided to use the word terminal in the advice page about verifying. The word does not appear a single time there; seriously: is every newbie user expected to know by himself, that he has to open a terminal at first?
The partly convinced Windows-convertite falls into doubts: Are the rumors true after?

The result is, that with this approach the product image of Mint gets ruined!

Maybe I put too much importance into this, maybe not. But as soon as this should happen, it will be difficult, to get it back where it is and where it belongs to.

IMO the security changes regarding gpg / sha256 checks have been done half-hearted. As this had been done following the attacks in February and the partnership with Sucuri, I have the assumption, that the Sucuri people told Clem, that md5 is only an imagination of checking integrity. So he switched for LM 18 from md5sum to sha256sum and made this available in the context menu of nemo. (What I never understood is: Why only for ISO-files, why not for all file types or at least some like archives (inclusive DEB) and a few more?)

This sha256-check command in the context menu provides 2 problems:
At first, computing the checksum takes some time, but there is nowhere a hint for the user, that the command gets executed and that he has to wait for the result. For a user, who had used it never before it seems, as if it would be broken, because he sees no reaction for some time. (I found 20 seconds, far too long without any notice for the user.)
Second: Even a md5sum is nothing, what is easy to read and to compare with a reference. But comparing a sha256 visually is definitely something, where the human being is not constructed for. Comparing such type of data is surely something, what the dumbest computer can do better than any human. So why is the user expected to compare it manually?
There does exist the nemo plugin nemo-gtkhash (also available as stand-alone program gtkhash), where the user is able to copy / paste the reference hash-sum into a line and he gets with one look the result, if it matches or not. To make security checks for downloads easy, comfortable and understandable for everybody something like that should be pre-installed in Mint. (This does not yet cure the pgp-part of course.)
An even better solution would be, if it would be possible, to point to the sha256-checksum-file and let the computer itself find the needed checksum inside. (There does exist such a program for Windows, but I do not know anything like that for Linux.)

[Reorx]

To make sha256sums easier to verify as correct you can:

1) D/L the sha256sum.txt file and put it into the testing folder
2) D/L the desired ISO files and put them in the same folder as sha256sum.txt
3) Edit the sha256sum.txt file to only include lines for the ISOs you want to test and save it as SHA256SUMs
4) Open the testing folder in a terminal and enter this command:

Code: Select all

sha256sum -c SHA256SUMs

the output of the command will verify if the sha256sums match those in the text file

In my LM18 ISO folder there are 2 ISO files for LM18C64 and LM18M64. I saved the sha256sum.txt as SHA256SUMs and edited it to look like this:

Code: Select all

reorx@freedom-13 ~/Downloads/LM18 $ cat SHA256SUMs
2238dca5b51f9e2674a7e31c46f19141fbdecff6e44c06ecbc9a7bb59b75a816 *linuxmint-18-cinnamon-64bit.iso
c634f48b248489eef782067484a04978f046e9ccd507d9df35c798a1db9bef22 *linuxmint-18-mate-64bit.iso
reorx@freedom-13 ~/Downloads/LM18 $ 

The output from the above listed check command will look like this if everything is OK >>>

Code: Select all

reorx@freedom-13 ~/Downloads/LM18 $ sha256sum -c SHA256SUMs
linuxmint-18-cinnamon-64bit.iso: OK
linuxmint-18-mate-64bit.iso: OK
reorx@freedom-13 ~/Downloads/LM18 $ 

...and like this if everything is NOT OK >>

Code: Select all

reorx@freedom-13 ~/Downloads/LM18 $ sha256sum -c SHA256SUMs
linuxmint-18-cinnamon-64bit.iso: FAILED
linuxmint-18-mate-64bit.iso: FAILED
sha256sum: WARNING: 2 computed checksums did NOT match
reorx@freedom-13 ~/Downloads/LM18 $ 

[majpooper]

This could and should have been made much more clear - sure once you know exactly what to do and understand the terms (jargon) it is all straight forward and quite simple.

For example from the download page
Please read and follow the steps at https://linuxmint.com/verify.php
Link to the sums: sha256sum.txt
Link to the signed sums: sha256sum.txt.gpg

This is all well and good and I went and read and tried the steps except I did not have the knowledge and/or experience to know that sha256sum.txt or sha256sum.txt.gpg
were what was being referred to to "import the signing key from a Keyserver (see above)".
And certainly there was nothing above that gave a clue. This is what I got from "above" in the instructions

majpooper@1150z ~/Downloads $ gpg --recv-key A25BAE09
gpg: keyring `/home/majpooper/.gnupg/secring.gpg' created
gpg: no keyserver known (use option --keyserver)
gpg: keyserver receive failed: bad URI

When I click on the sha256sum.txt or sha256sum.txt.gpg links they open up a page on my browser but the instructions say to download them to the same dir to which the .iso was downloaded - how? I am sure that is very simple to the experienced user but not to everyone or at least not to me but I am sure I will figure it out eventually although it would be nice if that were part of the instructions.

So great I got far enough to compare
majpooper@1150z ~/Downloads $ sha256sum linuxmint-18-cinnamon-64bit.iso
2238dca5b51f9e2674a7e31c46f19141fbdecff6e44c06ecbc9a7bb59b75a816 linuxmint-18-cinnamon-64bit.iso

with sha256sum.txt in the browser window but that is not what the instruction indicate is the proper way to validate the .iso. And I have no idea how to validate sha256sum.txt.gpg against the .iso because I have not figured out how to download sha256sum.txt.gpg to my Downloads dir so of course command fails

majpooper@1150z ~/Downloads $ gpg --verify sha256sum.txt.gpg sha256sum.txt
gpg: can't open `sha256sum.txt.gpg'
gpg: verify signatures failed: file open error

I am not planning on installing LM18 on my rig any time soon - just looking it over on live DVD so no sweat for now but Mint attracts former Windows users and linux noobs because it is a super OS and it is important to make the .iso download validation simple and clear and on this it has not done as good a job as it could.

[Blacksunshine]

Have installed 18 on 2 different desktops upgrading from 17.3.

So far, I like Sarah - she's very friendly, plays nice, and didn't talk back or create a bunch of headaches (so far). If her behavior continues to be cooperative, I may introduce Sarah to some new friends.

I have a feeling that Sarah's going to get around.

[beachgardener]

sha checksum gpg, is all jibberish nonsense at this stage for me, if this is necessary, there needs to be a very simple and precise recipe for anyone to follow, otherwise who will bother?

[Pjotr]

sha checksum gpg, is all jibberish nonsense at this stage for me, if this is necessary, there needs to be a very simple and precise recipe for anyone to follow, otherwise who will bother?

Well, I did.
But you're right. Unfortunately, the authenticity check is currently unfit for general use. We need an easy graphical tool for that....

Note that this is the simple method for checking (only for corruption, not for authenticity):
https://sites.google.com/site/easylinux ... -SHA256sum
(item 12, right column)

In almost all cases, a simple corruption check is enough. As long as you trust the mirror server where you get the iso from, of course. So for the time being I advise to select the mirror carefully (check the URL!) and do a corruption check only.

[majpooper]

beachgardener wrote:
sha checksum gpg, is all jibberish nonsense at this stage for me, if this is necessary, there needs to be a very simple and precise recipe for anyone to follow, otherwise who will bother?

to which Pjotr replied:
Well, I did.

I would love to know how you accomplished that feat.

[Pjotr]

beachgardener wrote:
sha checksum gpg, is all jibberish nonsense at this stage for me, if this is necessary, there needs to be a very simple and precise recipe for anyone to follow, otherwise who will bother?

to which Pjotr replied:
Well, I did.

I would love to know how you accomplished that feat.

Just adapt this how-to for Peppermint, to Linux Mint (thank Reorx for that tip):
https://peppermintos.com/gpg-verification/

It's cumbersome, definitely too cumbersome for the great majority, but it can be done.

[Nenad]

I have installed the beta version 2 weeks ago. Do I have to do clean install of stable version ?

[sikejsudjek]

I have installed the beta version 2 weeks ago. Do I have to do clean install of stable version ?

No, afaik once you've run all the updates available at the moment it should be the same as the stable version.

[Cosmo.]

I have installed the beta version 2 weeks ago. Do I have to do clean install of stable version ?

No, afaik once you've run all the updates available at the moment it should be the same as the stable version.

Not quite: You have to remove Samba to get the state of the final release, read here under "Upgrade instructions". If you do this is a user choice.

[majpooper]

THX to Pjotr I finally verified LM the 18 download

So it took the following and trial and error
https://linuxmint.com/verify.php
https://community.linuxmint.com/tutorial/view/2266 (kudos to xenopeek for this on for LM 17.3)
https://peppermintos.com/gpg-verification/ (thx to Reorx for this one)

Updating this for LM18 and putting in on the download page sure would make a lot of sense and be extremely helpful.

Again I would like to thank Pjtor as well as xenopeek, Cosmos and Fred Barkley for the outstanding support and infinite patience - you guys are the best.

[min2max]

Is there a plan to release a KDE version of LM18? If so, will it use all new plasma 5 or just stick to more mature and stable KDE4? The plasma 5 is still full of bugs laden, no good for LTS version of linux.

[beachgardener]

Thank you all for the information, I shall read this and see if I can have success.
I download from my ISP so the mirror is trusted

I am thinking though that it might be prudent to wait for 18.1 so that this release may mature somewhat, with the reported problems with the ubuntu base it makes sense that the reported issues with mint 18 would flow down from ubuntu, maybe when it is fixed it will be ok, but maybe stay with 17.3 for now.