>>>>> "Daniel" == Daniel Reurich <[email protected]> writes: [..] >> Now if I downloaded Devuan from within Cina or Iran or Syria or any >> company targeted by the NSA [3], how could I ensure that I still >> received a non-tampered with .ISO file? >> >> What about making the download page HTTPS-only (letsencrypt.org?)? >> > HTTPS is no guarantee either unless it's using DNSSEC and DANE. But I > agree files.devuan.org should be https, and we should also have a site > on the tor network as well.
At least an attack via MITM on SSL using hacked certs would be detectable by SSL observatory etc. und thus could not be used on a large scale. > With regards to verification you can get the pgp checksums from > packages.devuan.org/<release>/InRelease file which is itself pgp > signed using Devuans PGP key which can be obtained from the keyserver > network which is also accessible via tor using parcimonie. No > guarantees but much harder to fake all that. Unfortunately, that doesn't help me, if I already got a root-kit with the initial netinstaller ISO :/ . Could you publish detached .pgp signatures or pgp-signed shasums for the ISOs, too? cheers, David -- GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F _______________________________________________ Dng mailing list [email protected] https://mailinglists.dyne.org/cgi-bin/mailman/listinfo/dng
