Aleksa Sarai wrote:
Given the recent case of Linux Mint, I went to double-check how we deal with distribution of checksums and images. It looks like we just distribute them all without TLS, which means there's no hardening against MITM attacks on users trying to download openSUSE. In addition, I couldn't find any mention of GPG signatures for the releases, so there's no web-of-trust way of verifying that an image I download is one that was signed by the key of the cheif maintainers.
Check https://software.opensuse.org, section "Verify your download before use". The sha256 check sum files are signed inline using GPG. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org