Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
On Wed, Feb 14, 2018 at 12:41:41PM +0100, Wouter Verhelst wrote: >On Tue, Feb 13, 2018 at 02:48:49PM +, Steve McIntyre wrote: >> On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote: >> >Hi, >> > >> >after having looked at >> > https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ >> >i wonder whether the .torrent files are sufficently signed on their own. >> >At least they are not listed in the *SUMS files. >> > >> >Is this a similar security problem as with the .jigdo files ? >> > >> >(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.) >> >> As I understand it, BitTorrent works differently so it's not an >> issue. People don't grab the .torrent files directly from our http(s) >> sites, but instead using the torrent tracker itself. > >That really depends on the torrent tracker. Some allow you to enter the >URL to the .torrent file in the tracker, some allow you to enter a >magnet URL, some allow you to download the .torrent file and then run >the tracker on the file, and some (most) allow any of the above. > >Since almost none actually allow you to verify a signature on the >.torrent file, and since I think that's kindof a good idea, I think you >should do so :-) OK, fair point. I'll add these too. -- Steve McIntyre, Cambridge, UK.st...@einval.com "Since phone messaging became popular, the young generation has lost the ability to read or write anything that is longer than one hundred and sixty characters." -- Ignatios Souvatzis
Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
On Tue, Feb 13, 2018 at 02:48:49PM +, Steve McIntyre wrote: > On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote: > >Hi, > > > >after having looked at > > https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ > >i wonder whether the .torrent files are sufficently signed on their own. > >At least they are not listed in the *SUMS files. > > > >Is this a similar security problem as with the .jigdo files ? > > > >(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.) > > As I understand it, BitTorrent works differently so it's not an > issue. People don't grab the .torrent files directly from our http(s) > sites, but instead using the torrent tracker itself. That really depends on the torrent tracker. Some allow you to enter the URL to the .torrent file in the tracker, some allow you to enter a magnet URL, some allow you to download the .torrent file and then run the tracker on the file, and some (most) allow any of the above. Since almost none actually allow you to verify a signature on the .torrent file, and since I think that's kindof a good idea, I think you should do so :-) -- Could you people please use IRC like normal people?!? -- Amaya Rodrigo Sastre, trying to quiet down the buzz in the DebConf 2008 Hacklab
Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote: >Hi, > >after having looked at > https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ >i wonder whether the .torrent files are sufficently signed on their own. >At least they are not listed in the *SUMS files. > >Is this a similar security problem as with the .jigdo files ? > >(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.) As I understand it, BitTorrent works differently so it's not an issue. People don't grab the .torrent files directly from our http(s) sites, but instead using the torrent tracker itself. That's why I've never added the checksums for them. -- Steve McIntyre, Cambridge, UK.st...@einval.com "Further comment on how I feel about IBM will appear once I've worked out whether they're being malicious or incompetent. Capital letters are forecast." Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html
Should not .torrent files be listed in SHA512SUMS et.al. ?
Hi, after having looked at https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/ i wonder whether the .torrent files are sufficently signed on their own. At least they are not listed in the *SUMS files. Is this a similar security problem as with the .jigdo files ? (I have no clue of BitTorrent. So a simple "Don't worry" would be enough.) Have a nice day :) Thomas
