Re: Debian testing ISOs not GPG signed?
On Sun, Mar 09, 2014 at 06:03:01PM +0100, Mattias Wadenstein wrote: On Sun, 9 Mar 2014, Steve McIntyre wrote: On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote: I just wanted to reinstall my system on new hardware so I downloaded the current Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/) build. After downloading it, I wanted to verify the integrity of the ISO (as I was used to from the stable builds). But I did not find a signed checksum file. Are testing builds not signed?? Is there another way to check the integrity of the testing ISOs? We (I) don't sign any of the non-release builds on cdimage, no. Only official stable and beta releases are signed, meaning that they've undergone some manual verification and testing. It's a deliberate policy not to sign the testing images, so as to avoid keeping PGP key material on a remote server. It might be worth doing automatic signatures by a clearly labeled automatic signing key, just to reducing the risk of someone installing from a maliciously altered image. I do agree that the proper release signing is not doable for testing images though. Fair point, yes. I've just added a new testing CDs key for automatic signing: pub 4096R/09EA8AC3 2014-04-15 Key fingerprint = F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3 uid Debian Testing CDs Automatic Signing Key debian-cd@lists.debian.org sub 4096R/6BD05CFB 2014-04-15 and some extra code into the build scripts to use this key for the daily and weekly testing CD builds. Starting from the next daily build tonight, this should happen automatically now. -- Steve McIntyre, Cambridge, UK.st...@einval.com Support the Campaign for Audiovisual Free Expression: http://www.eff.org/cafe/ -- To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140415175719.gc17...@einval.com
Re: Debian testing ISOs not GPG signed?
On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote: I just wanted to reinstall my system on new hardware so I downloaded the current Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/) build. After downloading it, I wanted to verify the integrity of the ISO (as I was used to from the stable builds). But I did not find a signed checksum file. Are testing builds not signed?? Is there another way to check the integrity of the testing ISOs? We (I) don't sign any of the non-release builds on cdimage, no. Only official stable and beta releases are signed, meaning that they've undergone some manual verification and testing. It's a deliberate policy not to sign the testing images, so as to avoid keeping PGP key material on a remote server. -- Steve McIntyre, Cambridge, UK.st...@einval.com I can't ever sleep on planes ... call it irrational if you like, but I'm afraid I'll miss my stop -- Vivek Dasmohapatra -- To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140309165413.gp9...@einval.com
Re: Debian testing ISOs not GPG signed?
On Sun, 9 Mar 2014, Steve McIntyre wrote: On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote: I just wanted to reinstall my system on new hardware so I downloaded the current Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/) build. After downloading it, I wanted to verify the integrity of the ISO (as I was used to from the stable builds). But I did not find a signed checksum file. Are testing builds not signed?? Is there another way to check the integrity of the testing ISOs? We (I) don't sign any of the non-release builds on cdimage, no. Only official stable and beta releases are signed, meaning that they've undergone some manual verification and testing. It's a deliberate policy not to sign the testing images, so as to avoid keeping PGP key material on a remote server. It might be worth doing automatic signatures by a clearly labeled automatic signing key, just to reducing the risk of someone installing from a maliciously altered image. I do agree that the proper release signing is not doable for testing images though. /Mattias Wadenstein -- To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/alpine.deb.2.02.1403091801020.29...@hirohito.acc.umu.se
Re: Debian testing ISOs not GPG signed?
On 09.03.2014 18:03, Mattias Wadenstein wrote: On Sun, 9 Mar 2014, Steve McIntyre wrote: On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote: I just wanted to reinstall my system on new hardware so I downloaded the current Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/) build. After downloading it, I wanted to verify the integrity of the ISO (as I was used to from the stable builds). But I did not find a signed checksum file. Are testing builds not signed?? Is there another way to check the integrity of the testing ISOs? We (I) don't sign any of the non-release builds on cdimage, no. Only official stable and beta releases are signed, meaning that they've undergone some manual verification and testing. It's a deliberate policy not to sign the testing images, so as to avoid keeping PGP key material on a remote server. It might be worth doing automatic signatures by a clearly labeled automatic signing key, just to reducing the risk of someone installing from a maliciously altered image. Would be nice to see this. I guess that there are a lot of advanced users of Debian who always install Debian testing on there workstation and no way to check the integrity of those images is not such a good idea these days. I do agree that the proper release signing is not doable for testing images though. /Mattias Wadenstein -- Kind regards Marcel `sdrfnord` McKinnon -- To UNSUBSCRIBE, email to debian-cd-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/531ca929.2070...@gmx.de
