Hi, isn't it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS) ENCRYPTED connection ? !!! (from the primary domain/server "debian.org" or "www.debian.org" website, or from the subdomain "cdimage.debian.org") ! do you not notice it !!! ?
To me it seems like, You are telling your users, that, Hey uses! here is the ISO file (get it over open & non-encrypted HTTP connection), and to check this ISO file's authenticity, you will need an Integrity HASH code file from us, BUT we cannot give you/user this integrity-file over a direct ENCRYPTED and (SSL/TLS certificate & DANE DNSSEC) verified connection, SO you must accept the INTEGRITY code-file over modifiable & open & eavesdropped connection. Such way obtained any SUMS/INTEGRITY files or SIGN files ARE USELESS, and do not have any sure-integrity in them anymore. in http://cdimage.debian.org subdomain website+webpages, please enable SSL/TLS cert based HTTPS daemon. Then users can access it over HTTPS encrypted connection. Please ENABLE URL-redirecting in your server-side HTTPS-daemon to change CD/ISO large-file's URL from HTTPS into HTTP, and make sure users can download all tiny INTEGRITY files, CheckSums, Hash, Sign, etc files, over HTTPS ENCRYPTED connection. If HTTPS cannot be enabled in "cdimage.debian.org" subdomain, then please transfer all those tiny files (CheckSUMS, Hash, Integrity, Sign, etc) for last-stable release under primary domain somewhere, here: https://www.debian.org/CD/verify If above steps are done, THEN very-large sized (few GIGABYTES sized) ISO-file's can be delivered to users, or users can obtain, over non-encrypted HTTP or FTP etc connection. In fact, all users should be forced to download large-sized ISO file over HTTP non-encrypted connection (by using url-redircting in web-server side), ONLY WHEN INTEGRITY CODEs & PUBKEY are downloadable OVER/THRU (HTTPS/HKPS) ENCRYPTED CONNECTION. But currently your subdomain "cdimage.debian.org" is not accessible over HTTPS ENCRYPTED connection, so none of the tiny INTEGRITY files or Sign-files, cannot be obtained by any users securely. CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS INTEGRITY FILES (or ISO file-signing or ISO integrity-code file signing GPG PUBKEY FILE), all of these files are very very TINY SIZED FILES (few KILOBYTES only), compared to the VERY large-sized main file, the ISO files. So AT-LEAST sig/sign file + Sums/Hash code files (and file-signing Pubkey file), need to be shared with all users (from "https://cdimage.debian.org"; or "https://www.debian.org/CD/"; website or "https://keyring.debian.org/"; website) over HTTPS encrypted connection/transfer. if those tiny files are downlaodable over HTTPS encrypted connection, then users can match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted connection) from SUMS/hash integrity file, with the calculated hash code of the downloaded ISO file, (or by using a GPG tool, user can verify the authenticity of downloaded ISO file, by using securely downloaded signature file). since "Debian.org" website (primary domain) is now already DNSSEC signed by it's own developers :) and website's used TLS/SSL cert is also defined+declared in TLSA/DANE dns record :) so all HTTPS webpage INFO from primary website ("https://www.debian.org/";) are already (SSL/TLS CA, and, DANE DNSSEC), double channel (aka, double TA) verified. Users can very easily see indication (for free or almost at no-cost) of this double-verification, if they use https://www.dnssec-validator.cz/ addon in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full dnssec supported dns-resolver, (like "unbound" from https://www.unbound.net/ is used). please MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN THAT "verify" WEBPAGE, so that all users+people can know there are OTHER existing & alternative & trustworthy ways, to verify/authenticate, And "debian.org" website & it's devs have already implemented+using them. Unless you mention about "DNSSEC" in that "verify" webpage, how else would people know about using this alternative ? !!! don't assume every1 is traveling around the world & meeting correct people all the time, & know all kinds of (correct) ways. please allow your/debian users to enjoy & utilize this double-verification, for getting tiny file-integrity (sums/hash) code files, over HTTPS based encrypted connection from a DNSSEC signed & DANE authenticated website. Please fix these issues, and update your website. Thank you. I'm also posting, a similar (not exactly same) request, in Debian-CD Mailing-list, as it requires attention from packagers & devs working on CDs/DVDs, to place & show the integrity-files into primary domain (along with showing in "cdimage" subdomain). Also posting a similar (not exactly same) request in Debian-www Mailing-list, as it requires them to update SSL cert for the "keyring" & "cdimage" subdomain & update the "verify" webpage. Keeping Debian-Security Mailing-list discussion in detail, here, as it involves Debian installer & related file's integrity & Debian webserver's data TRANSFER security. -- Erik.
