Hi, * Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
> today I've taken a look at a daily image for grml.org > and found no way to verify that the image I'm downloading actually is > from your build machines. > http://grml.org/daily/ > leads me to something like > http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/ > where there are no OpenPGP signatures available. > and the https variant or the url does not show the files. > This is a problem because a downloader like can be attacked by serving a > different iso file and the corresponding checksums. To prevent this attack > you could > a) also use https on the daily.grml.org server > b) Use a new OpenPGP build-key without password, publish the pubkey on the > https mainsite and use the key in the automatic building process to generate > the detached signatures. Good idea, I'll add this to our todo list. Thanks! regards, -mika-
signature.asc
Description: Digital signature
_______________________________________________ Grml mailing list - [email protected] http://ml.grml.org/mailman/listinfo/grml join #grml on irc.freenode.org grml-devel-blog: http://blog.grml.org/
