Package: www.debian.org Severity: important The Debian website provides no reasonable way of verifying downloads in absence of a solid web of trust. The checksums, keys and their fingerprints aren't served over HTTPS, with the exception of https://ftp-master.debian.org/keys.html but the chain of trust in that case is unreasonably difficult to establish for the purpose of checking CD images or other downloads.
Furthermore, http://www.debian.org/CD/verify encourages insecure ways of checking fingerprints, which are posted on a plain HTTP page. There's also no mention of ftp-master and how to use the archive keys to establish a chain of trust. It would be fair to expect a large proportion of users cannot or will not be able to establish such a web of trust, especially if they're new users. No matter how bad it is, the CA system is still better than nothing and pretty much the only option for a lot of people, so for the purpose of verifying an image and bootstrapping a chain of trust it should do. I suggest hosting all CD image checksums on an official HTTPS page and updating http://www.debian.org/CD/verify accordingly. This makes it really easy to check downloads, bootstraps the chain of trust with the keys in the image and prevent minimally security-conscious users from doing an insecure verfication or skipping it altogether. Furthermore, it's *very* cheap. In addition to that, consider hosting all keys or at least their fingerprints on a HTTPS page. This can be an alternative to what I suggested above regarding checksums, but I'd advise against doing only that considering a lot of users just aren't familiar with PGP. P.S: On a side note, I recently examined that aspect for a few other major distros. Turns out Ubuntu also gets it wrong (not to mention they still opt for MD5 checksums). Fedora and Gentoo do provide verifiable keys/checksums (although in Gentoo's case official advice could be better): https://fedoraproject.org/verify https://www.gentoo.org/proj/en/releng/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/20130914121750.GA3211@home
