Yes, I also think it is a pretty shame that we can not download the sha256/512sums from a sever secured by https + DNSSEC/DANE. At least the master mirror cdimage.debian.org needs to provide a secure connection for downloading checksums and the *.jigdo and *.template files. Moreover I would appreciate the jigdo program to work with https + evtl. dnssec as well because http is inherently untrusted and thus insecure. Finally jigdo itself would need to be uploaded to the master mirror as we should not execute any program without inspection from a source which is not secured (would imply that the source is also trusted).
If we have https + DNSSEC for lists.debian.org and debian.org why not also for cdimage.debian.org? Elmar Am 10.07.2014 um 18:52 schrieb Joel Rees: > When I download a new install image, I pretty much always go to random > mirrors, some largish/mainish and some smalish/obscure and download > the copies of the checksum files. If all the checksum files compare, I > can be pretty confident that one of the following conditions exists: > > (1) The image is good if the checksum command reports the correct checksum. > > (2) Some attacker has compromised every mirror I have accessed. > > (3) Some attacker is doing deep inspections on my traffic and > redirecting traffic every time I go looking for a debian mirror. > > I check a minimum of three mirrors, but when I'm feeling especially > paranoid I'll check five or six. > > It occurs to me that I might cede some usefulness to having the > checksums (not images) served TLS transport on at least one of the > mirrors, if and only if I remember to set the SSL_CERT_FILE before I > fire up lynx to go get the checksums. It won't help me if my > randomness in choosing the servers isn't good enough in case (2), but > it should help in case (3).
