jigdo - Jigsaw Download

Introduction | History | Download

----------------------------------------------------------------------

Introduction

Jigsaw Download (for short "jigdo"), is a tool designed to ease the distribution of very large files over the internet, for example CD or DVD images. Its aim is to make downloading the images as easy for users as a click on a direct download link in a browser, while avoiding all the problems that server administrators have with hosting such large files.

Jigdo was originally designed by Richard Atterer, and he wrote the first version of the jigdo code. His original website talking about it is still online, although he has passed future maintenance of the code over to me. His description of how jigdo works might be interesting - it's a very clever design!

----------------------------------------------------------------------

History

Richard's version of jigdo was designed around using the 128-bit MD5 checksum algorithm. The v1.x format of the jigdo and template file depends heavily on MD5 to track data internally, both for the individual file matches and for the full image itself. Versions of jigdo prior to 0.8.0 only support the MD5-based v1.x format of jigdo file. That covers ISO images released by Debian and other users from ~2004 through to 2019 (at least).

MD5 is a handy algorithm for checksumming - it's well understood (first designed in 1991) and fast, generating a 128-bit checksum. However, over the years lots of researchers have worked on finding weaknesses in the algorithm and computers have grown massively faster. Due to those combined effects, MD5 is no longer considered a secure checksum. In cases where security matters, it is time to move on to new algorithms. Lots of software around the world is being updated in this way, and jigdo is no different.

Since taking over maintenance of jigdo, I've extended the code and added a new format (v2) in jigdo version 0.8.0. This new format uses the SHA256 algorithm internally for all its checksums. SHA256 is a newer algorithm than MD5, and considered by experts to be much stronger. It's part of the SHA-2family of Secure Hash Algorithms, generating a 256-bit checksum.

Richard did a good job with the design of jigdo - it tracks versioning of the format of both the jigdo and template files. The core design also includes support for multiple different types of data "descriptor" internally, so I didn't have to reinvent anything. Yay! However, he couldn't include a time machine in jigdo! Older versions of the tools will recognise a newer version of the format and fail gracefully, which is the best they can do. New versions of the tools can create both formats, but end users may need to download new tools to work with v2 format jigdo files when they start turning up.

Debian is currently planning to switch to producing SHA256-based jigdo v2 format files at some point in 2020. We will announce more details of that switchover closer to the time.

I talk about "tools" plural here, as there are several pieces of software that know how to generate or work with jigdo files:

----------------------------------------------------------------------

Downloads

The new home for the jigdo source code is at git.einval.com. This is the best place to track development versions. Current development is on the "upstream" branch.

If you're a Linux user, then Jigdo is available for normal package installation in Debian, Ubuntu and various other Linux distributions too. That's normally the best way to get things. In case that's not an option for you, (e.g. you need a newer version), then it should be easy to build from source - see below.

In the download area, you will find various things:

All the files there are signed with my PGP key - see the corresponding .sig files for the signatures.

If you need help (building jigdo, or finding jigdo binaries for other platforms, etc.), please ask!

----------------------------------------------------------------------

Steve McIntyre <steve@einval.com>