Peer-to-peer advocacy group Downhill Battle has made a copy of Microsoft's Windows XP Service Pack 2 available at a site called SP2torrent.com through the BitTorrent file-sharing system.
"Now is a crucial time to demonstrate ways that peer-to-peer can be useful," Downhill Battle co-founder Nicholas Reville told ZDNet UK sister site CNET News.com. "We are facing a situation where Congress is seriously considering outlawing peer-to-peer for all intents and purposes."
Reville said he was referring to the Induce Act, a bill before Congress that says "whoever intentionally induces any violation" of copyright law is liable for that infraction.
In addition to distributing SP2, Downhill Battle also used peer-to-peer technology to distribute video of the congressional hearings on the Induce Act.
By distributing Microsoft's code, the company might be putting itself in violation of other laws, analysts say. Although the SP2 upgrade is free, the peer-to-peer distribution of it could well be in violation of Microsoft's licence agreement.
The software maker declined to comment specifically on Downhill Battle's action but reiterated that it feels the best way for consumers to get SP2 is to turn on the Automatic Upgrade feature in Windows and wait for the update to be pulled down automatically.
"We are always looking at ways of doing it," said Stephen Toulouse, security program manager at Microsoft. "The challenge with peer-to-peer is that you never know what you are getting."
Downhill Battle's effort plays on the fact that although the SP2 code was released to PC makers last week, Microsoft has said it will not be available for manual download until later this month.
Indeed, what Downhill Battle is distributing is not the individual PC download of the upgrade -- which is still not available -- but rather the network installation kit that Microsoft released on Monday for IT professionals. That download, which is roughly 270 megabytes, is more than three times larger than the download the typical user would get via automatic update and is designed for companies that need to upgrade many machines running different versions of Windows XP.
The network installer is also freely downloadable directly from Microsoft, though the company has posted a warning that it is not intended for individual users to upgrade their machines.
"Do not click 'Download' if you are updating just one computer," Microsoft states in bold, capital letters. "A smaller, more appropriate download will be available soon on Windows Update."
The demand from enthusiasts for individual upgrades comes as many corporations are opting to test, rather than quickly roll out, the security-oriented update.
Reville said the fact that Microsoft is taking weeks to get the software to users is a sign that there is an opportunity for file sharing to play a part.
"Even Microsoft -- the biggest of the big -- is rolling this out gradually," he said. "The combined power of every Internet user with a broadband connection is bigger even than Microsoft."
Analysts say that maybe true, but there are other issues at play.
"There's a certain logic to that," Jupiter Research analyst Michael Gartenberg said. "Of course, that gets balanced against, 'How do I make sure that I am getting Service Pack 2 unmodified as opposed to something that might have a virus or a Trojan horse linked to it?'"
And there is little benefit to the consumer, Gartenberg said.
"It's certainly not going to come any faster," he said. "As long as a company like Microsoft has resources to download this type of content, there is no reason for consumers to want to turn to a peer-to-peer method."
The move is also a bit of a twist for BitTorrent, which is often used to distribute various versions of the open-source Linux operating system. Even in posting SP2, Downhill Battle worked in a plug for Linux.
"And since we're fervent advocates of open-source software around here, SP2torrent.com wouldn't be complete (without) a link to Knoppix, the zero-commitment Linux Live CD."
Talkback
You don't know what you're getting with peer to peer.
Hmm. I disagree. It is very common in free and open source software circles to distribute software using BitTorrent, mirror sites, and other methods out of the direct control of the initial distributor. Nonetheless, high confidence can be had that the file has not been tampered with by validating an extremely hard to forge checksum (the "MD5 sum") provided by the original distributor on their website.
Near total confidence - much better than the confidence one can have that Windows Update has not been tampered with - can be had by validating a digital signature on the update using cryptographic security programs such as PGP or GPG.
It would not be at all difficult for Microsoft to publish an MD5sum and a small, easy to use utility to validate it. It would be almost as trivial to provide a simple program that uses the existing digital signature verification in Windows to validate a signature on the update. The total download size of these files could easily be under a megabyte, probably only a few hundred kb, and would save Microsoft a lot of load on their servers.
So - you can, indeed, know exactly what you're getting with P2P, as well as or even better than with unsigned updates from a central source that could theoretically be trojaned.
Just downloaded it at an average speed of 1500k which is probably 4 times faster than if i got it from microsoft alone. Works perfectly and I can jump ahead of the game.
Just downloaded it at an average speed of 1500k which is probably 4 times faster than if i got it from microsoft alone. Works perfectly and I can jump ahead of the game.
In fact I've fetched the xpsp2 cd image from MSDN subscriber downloads. The file in question xpsp2.exe, is 278920704 bytes long and has an md5sum of 94276421fa963122a4e434d3b14fdc01
Now all you have to decide is if you trust me with this piece of information.
PS: md5sum.exe is available via google
http://www.google.com/search?q=md5sum.exe