Integrity of TYPO3 Packages
In order to ensure that the downloaded TYPO3 package is an official
package released by the TYPO3 developers, compare the SHA2-
checksum of
the downloaded package with the checksum stated on the TYPO3 website,
before you extract/install TYPO3. You find the SHA2-
checksums on
get.typo3.org.
Be careful when using pre-installed or pre-configured packages by other vendors: due to the nature and complexity of TYPO3 the system requires configuration. Some vendors offer download-able packages, sometimes including components such as Apache, MySQL, PHP and TYPO3, easy to extract and ready to launch. This is a comfortable way to set up a test or development environment very quickly but it is difficult to verify the integrity of the components – for example the integrity of TYPO3.
A similar thing applies to web environments offered by hosting companies: system images sometimes include a bunch of software packages, including a CMS. It depends on the specific project and if you can trust the provider of these pre-installed images, systems, packages – but if you are in doubt, use the official TYPO3 packages only. For a production site in particular, you should trust the source code published at get.typo3.org only.