I assume there’s some historical reason for this, but currently, the way scene releases reach most people seems to consist of:

  1. Sites that track releases post the nfo file of the release; these sites generally don’t provide the release itself.

  2. People then look for the release via various channels and download it.

Wouldn’t it make sense for the nfo to contain the checksum of the actual release, letting pirates verify unmodified copies of it and making it easier to avoid versions that have been modified in various ways?

Obviously you’d still have to trust both the site where you got the NFO (and therefore the checksum) and the people who made the original release, but those are usually relatively trustworthy, being known people who have handled a lot of releases with no problems - a lot of the danger of viruses and the like in software piracy comes from the risk of middlemen adding something.

    • Cycloprolene@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      most of there .nfo include .sfv files.

      But they are mostly crc32, that’s 100% useless.

  • Chewie@mammut.gogreenit.net
    link
    fedilink
    arrow-up
    14
    arrow-down
    1
    ·
    1 year ago

    @Yglorba

    Good question. I guess people thought naively that .sfv files were enough, but of course that’s not true.

    Some .nfo files contain md5s for things, but that would be easily changeable.

    It would have to be a cryptographic checksum, using something like GPG/PGP with a distributed fingerprint to be any good.

    I’ve seen one or two over the years, but not as many as you’d expect for people that should be worried about security and image.

  • liliumstar@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    7
    ·
    1 year ago

    I’ve noticed some scene game/software releases have blake3 hashes now. That doesn’t account for everything else, but I’d say it’s a good step.

  • Cycloprolene@lemm.ee
    link
    fedilink
    English
    arrow-up
    4
    ·
    1 year ago

    This frustrates me to to no end. sometimes the only ISO I find is very sketchy and I end up downloading a trusted repack instead.

      • Yglorba@lemmy.dbzer0.comOP
        link
        fedilink
        English
        arrow-up
        3
        ·
        edit-2
        1 year ago

        Yes, I mentioned that - but trusted public sources, who often post on places like Reddit or personal websites run out of the US and the like, can post NFOs but can’t post the actual game. If you knew the correct checksum, you could then turn around and grab the game from an untrusted source.

        Distributing the game itself is the dangerous part (in terms of making the copyright pinkertons come after you) so it’s better if it can be done as anonymously as possible, but that conflicts with the need to have it distributed by someone trusted. Putting the checksum in the nfo, which is widely reposted by trusted sources, would help avoid this problem.

      • Cycloprolene@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        1 year ago

        Duh!

        Ofcourse I would verify against a nfo from trusted source not the one besides the iso!

    • WarmApplePieShrek@lemmy.dbzer0.com
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Point 2: “Sites which track NFOs” track NFO files of scene releases because noone cares about P2P NFOs. Scene releases are intended to spread on FTP, not BitTorrent. They also come with CRC-32 checksums in file extension .SFV