On Wed, Feb 14, 2018 at 12:41:41PM +0100, Wouter Verhelst wrote: >On Tue, Feb 13, 2018 at 02:48:49PM +0000, Steve McIntyre wrote: >> On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote: >> >Hi, >> > >> >after having looked at >> > https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ >> >i wonder whether the .torrent files are sufficently signed on their own. >> >At least they are not listed in the *SUMS files. >> > >> >Is this a similar security problem as with the .jigdo files ? >> > >> >(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.) >> >> As I understand it, BitTorrent works differently so it's not an >> issue. People don't grab the .torrent files directly from our http(s) >> sites, but instead using the torrent tracker itself. > >That really depends on the torrent tracker. Some allow you to enter the >URL to the .torrent file in the tracker, some allow you to enter a >magnet URL, some allow you to download the .torrent file and then run >the tracker on the file, and some (most) allow any of the above. > >Since almost none actually allow you to verify a signature on the >.torrent file, and since I think that's kindof a good idea, I think you >should do so :-)
OK, fair point. I'll add these too. -- Steve McIntyre, Cambridge, UK. st...@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis