Matt Taggart <> (2018-03-13):
> In the package provided di-sources.list file, in the daily section,
> there are the following comments,
>   ## Daily netboot DI images (not signed?!?). Read:
>   #
>   # is what
should be advertised. The other one was broken in the first place, and
is only kept for the debian-cd part which wasn't integrated in the
“new” view yet. The web server serving the cdimage logs has been shut
down anyway IIRC from a few weeks ago.

And yeah, nobody maintains /Today…

> It would be nice if the d-i daily's were signed, even if they had to
> use a different key that I would then need to install on the system so
> that this di-netboot-assistant check could use. Is there already a bug
> open requesting daily image signing? If not then maybe this one can be
> cloned and reassigned to the right place.

I don't think that's a reasonable thing to do. Images are built on
porterboxes, centralized on dillon, which is used for quite a number
of other things.

What extra security would signing images bring here?

Cyril Brulebois (            <>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply via email to