![](https://seccdn.libravatar.org/avatar/3fc7d97b1953315760b5c43247ce781e.jpg?s=120&d=mm&r=g)
On 29/02/2016 08:29, Aleksa Sarai wrote:
Hi all,
Given the recent case of Linux Mint, I went to double-check how we deal with distribution of checksums and images. It looks like we just distribute them all without TLS, which means there's no hardening against MITM attacks on users trying to download openSUSE. In addition, I couldn't find any mention of GPG signatures for the releases, so there's no web-of-trust way of verifying that an image I download is one that was signed by the key of the cheif maintainers.
In addition, the checksums are stored right next to the ISOs, making them useless against a malicious attack (although it is useful for verifying that the download completed). Maybe we could add the checksums to the Wiki (which is served over TLS and is managed completely separately to the download servers).
I think this is something we should fix ASAP. If I missed something, please feel free to tell me, and we can work on better advertising the way we secure our downloads.
The checksums also don't match some of the mirrors. This was reported to admin@ a few weeks ago but was originally reported on Reddit 2-3 months ago before I came across it again when getting a Leap ISO. Ticket #10724 Ignoring the obvious major issue of out of date mirrors (it's an old iso on at least 1 mirror - still a massive security issue as teaching people to ignore checksums) but it does highlight that the mirrors are not verified. Jon -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org