Hello, today I've taken a look at a daily image for grml.org and found no way to verify that the image I'm downloading actually is from your build machines.
http://grml.org/daily/ leads me to something like http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/ where there are no OpenPGP signatures available. and the https variant or the url does not show the files. This is a problem because a downloader like can be attacked by serving a different iso file and the corresponding checksums. To prevent this attack you could a) also use https on the daily.grml.org server b) Use a new OpenPGP build-key without password, publish the pubkey on the https mainsite and use the key in the automatic building process to generate the detached signatures. Best Regards, Bernhard ps.: if you have a flattr account, I would have flattred you. :) Thanks for grml. -- www.intevation.de/~bernhard +49 541 33 508 3-3 Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998 Geschäftsführer Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Grml mailing list - [email protected] http://ml.grml.org/mailman/listinfo/grml join #grml on irc.freenode.org grml-devel-blog: http://blog.grml.org/
