On Mon, Nov 21, 2016 at 07:33:13PM -0500, Luke wrote: > Debian is a cluster of confusion
In that much I agree, but I find it funny most of the time (though I can
see it as discouraging too)
> All I know is many downstream sources are actively using ftp.debian.org
> to compile packages. They rarely check hash checks, cannot check GPG (as
> it does not exist)
well, they are buggy.
What do you mean "cannot check GPG (*as it does not exist*)" ?!
Everything that is in the Debian archive is somehow gpg signed
(either directly through inline signatures, or indirectly through
signatures of listing files like Sources).
> and depend solely on HTTP as their method of
> obtaining Debian sources and compiling for down stream. MiTM is a large
> factor in this case, and is reproducibly easy to do.
well, then stop trusting plain old dumb HTTP, and check the hashes of
files, hashes that are to be checked through the gpg signatures on them,
against the debian archive auto-signing key that is widely distributed.
> Since you've closed this bug, where else can I go? Where is upstream?
"upstream" here would be the Debian System Administrators, whom handle
the machines and the network and all of the system setup.
--
regards,
Mattia Rizzolo
GPG Key: 66AE 2B4A FCCF 3F52 DA18 4D18 4B04 3FCD B944 4540 .''`.
more about me: https://mapreri.org : :' :
Launchpad user: https://launchpad.net/~mapreri `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia `-
signature.asc
Description: PGP signature
