W dniu 29.02.2016 o 09:39, Jon Brightwell pisze:
On 29/02/2016 08:29, Aleksa Sarai wrote:
Given the recent case of Linux Mint, I went to double-check how we
download is one that was signed by the key of the cheif maintainers.
In addition, the checksums are stored right next to the ISOs, making them useless against a malicious attack (although it is useful for verifying that the download completed). Maybe we could add the checksums to the Wiki (which is served over TLS and is managed completely separately to the download servers).
I think this is something we should fix ASAP. If I missed something, please feel free to tell me, and we can work on better advertising the way we secure our downloads.
The checksums also don't match some of the mirrors. This was reported to admin@ a few weeks ago but was originally reported on Reddit 2-3 months ago before I came across it again when getting a Leap ISO.
Ignoring the obvious major issue of out of date mirrors (it's an old iso on at least 1 mirror - still a massive security issue as teaching people to ignore checksums) but it does highlight that the mirrors are not verified.
But the checksums are pgp signed (inline pgp signature inside the sha256 ckecksum file), so as long as the user has the pubkey used for this signature and uses it to verify the checksums, everything is fine. The pubkey long fingerprint is noted on the main iso download page, not on the mirrors pages. The current setup is far more secure than what Linux Mint had. Don't panic ;-). If an image on a mirror doesn't match the signed checksums, then it should be discarded by the user and redownloaded form another mirror. Simple stuff imho. -- Łukasz "Cyber Killer" Korpalski mail: email@example.com xmpp: firstname.lastname@example.org site: http://website.cybkil.cu.cc gpgkey: 0x72511999 @ hkp://keys.gnupg.net //When replying to my e-mail, kindly please //write your message below the quoted text.