Hi, after the recent Mint ISO hack [1], I wonder how secure the Devuan installer download scheme actually is. The Devuan installer download page [2] uses plain unencrypted HTML [2]. It does supply sha256 checksums, but these are also provided via unencrypted HTML only. No GPG signatures or nothing that could provide an independent source for evaluating authenticity.
Now if I downloaded Devuan from within Cina or Iran or Syria or any company targeted by the NSA [3], how could I ensure that I still received a non-tampered with .ISO file? What about making the download page HTTPS-only (letsencrypt.org?)? cheers, David [1] http://blog.linuxmint.com/?p=2994 [2] http://files.devuan.org/ [3] https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html -- GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
