On May 30, 2014, at 9:50 AM, Alfie John <alf...@fastmail.fm> wrote: >> >> The whole point here is that Debian is already verifying the content it >> is receiving from any given data source. This was done from the very >> beginning because anyone can mirror and distribute Debian software. So >> unless there is a flaw with libc and libgpg, we are safe for downloading >> the public Debian content from anywhere. > > Several times (public and private) I tried to explain how the download > of APT (the binary itself) on an initial Debian install could be > compromised via MITM since it's over plaintext. Then the verification of > packages could simply be skipped (hence NOP). I'm not sure why you're > bringing libc and libgpg into the conversation.
I think you are on the right track, the MD5SUMS of each release does not seem to be available via SSL from debian.org. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/e89fece8-7c01-45c3-9d7f-03919b612...@vianet.ca
