Package: cdimage.debian.org Severity: important Dear Maintainer,
Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy means. Please note that I have the debian keyring installed in GPG on the machine on which the following operation was performed. $ gpg --verify SHA512SUMS.sign gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B gpg: Good signature from "Debian CD signing key <[email protected]>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B Meanwhile, it appears this has been noted as a problem since 2011 on the Debian forums: http://forums.debian.net/viewtopic.php?f=17&t=62272&p=561324 I shouldn't need to remind anyone that we are living in an age of known MitM attacks versus FOSS software downloads. Verifying Debian ISOs NEEDS TO BE EASY. I can pretty much guarantee you I'm the 1 in 100 users who wouldn't have given up reporting this when: * I got an HTTP 500 from the "HyperEstraier based search engine" for Debian bugs at http://bugs-search.debian.org/cgi-bin/search.cgi when I looked to see if it had already been reported * I came up against the 11-printed-pages wall of text at https://www.debian.org/Bugs/Reporting * I found through the wall of text that there was no web interface for bug reporting, in this, the Year of Our Lord 2014 * I had to install 'reportbug' on a random Raspberry Pi just to get you this message. I know that producing Debian is hard work and that Debian is an accretion of decades of hard work, but peeps. Snowden. NSA. This is not 1998. Verifying downloaded software needs to be EASY TO DO, and you might want bug reporting to be easy to do, too, even though it involves dealing with lots of dupes from noobs - if your system is byzantine and/or broken enough to put off actual software developers, it's ungood. -- System Information: Debian Release: 7.6 Architecture: armhf (armv6l) Kernel: Linux 3.12.28+ (PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/20141124202114.19833.71178.reportbug@chehalem
