On May 30, 2014, at 9:50 AM, Alfie John <[email protected]> wrote: >> >> The whole point here is that Debian is already verifying the content it >> is receiving from any given data source. This was done from the very >> beginning because anyone can mirror and distribute Debian software. So >> unless there is a flaw with libc and libgpg, we are safe for downloading >> the public Debian content from anywhere. > > Several times (public and private) I tried to explain how the download > of APT (the binary itself) on an initial Debian install could be > compromised via MITM since it's over plaintext. Then the verification of > packages could simply be skipped (hence NOP). I'm not sure why you're > bringing libc and libgpg into the conversation.
I think you are on the right track, the MD5SUMS of each release does not seem to be available via SSL from debian.org. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
