On Tue, Feb 28, 2012 at 7:10 AM, Gilberto Ficara <[email protected]>wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Il 28/02/2012 12:56, Nico Kadel-Garcia ha scritto: > > On Tue, Feb 28, 2012 at 6:44 AM, Horvath Andras <[email protected] > > <mailto:[email protected]>> wrote: > > Oh, yeah, OK. What' you're referring to has little to nothing to do with > > encryption of the channel. It's *provenance* of the ISO image and > > checksums, establishing that the binary material on the mirror server > > is, in fact, that provided by our faithful software authors. > > > > In this case, you can get the checksums from the primary website at > > http://ftp.scientificlinux.org/linux/scientific/, and get the iso files > > anywhere you want. I still think it's a good idea to add this, though, > > just as the RPM's themselves are GPG signed. > > unless you access the primary website via https, files could always be > tampered with while in transit: you can't trust unencrypted channels > > Gilberto > You mean in-flight packet manipulation? That's.... conceivable, but would seem much less likely and more awkward to set up than a mirror site with "Trojan hourse" burdened binaries and checksums. It's also no defense against DNS manipulations or corrupted proxies that would similarly guide HTTPS or other encrypted access to a corrupted site. Because of these risks, I really think that the encryption of the data channel is a red herring: It's the provenance of the binaries that's a more sensitive danger, especially including the ISO images and the PXE images. So, to our faithful maintainers: how awkward or painful would it be to add the samge GPG signatures as are used for the RPM's to the checksums of the ISO images?
