* Michael Prokop [Wed Apr 19, 2017 at 03:32:17PM +0200]: > * Bernhard Reiter [Wed Apr 19, 2017 at 11:08:19AM +0200]:
> > today I've taken a look at a daily image for grml.org > > and found no way to verify that the image I'm downloading actually is > > from your build machines. > > http://grml.org/daily/ > > leads me to something like > > http://daily.grml.org/grml64-full_testing/2017-04-19_05-31-21/ > > where there are no OpenPGP signatures available. > > and the https variant or the url does not show the files. > > This is a problem because a downloader like can be attacked by serving a > > different iso file and the corresponding checksums. To prevent this attack > > you could > > a) also use https on the daily.grml.org server > > b) Use a new OpenPGP build-key without password, publish the pubkey on the > > https mainsite and use the key in the automatic building process to > > generate > > the detached signatures. > Good idea, I'll add this to our todo list. And https for daily.grml.org is already available, thanks to Alexander 'formorer' Wirt. regards, -mika-
signature.asc
Description: Digital signature
_______________________________________________ Grml mailing list - [email protected] http://ml.grml.org/mailman/listinfo/grml join #grml on irc.freenode.org grml-devel-blog: http://blog.grml.org/
