Hi all, Given the recent case of Linux Mint, I went to double-check how we deal with distribution of checksums and images. It looks like we just distribute them all without TLS, which means there's no hardening against MITM attacks on users trying to download openSUSE. In addition, I couldn't find any mention of GPG signatures for the releases, so there's no web-of-trust way of verifying that an image I download is one that was signed by the key of the cheif maintainers. In addition, the checksums are stored right next to the ISOs, making them useless against a malicious attack (although it is useful for verifying that the download completed). Maybe we could add the checksums to the Wiki (which is served over TLS and is managed completely separately to the download servers). I think this is something we should fix ASAP. If I missed something, please feel free to tell me, and we can work on better advertising the way we secure our downloads. -- Aleksa Sarai Docker Core Specialist SUSE Australia https://www.cyphar.com/ -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org