Re: where to find secure download of installer kernel

To: Sam Overton <samoverton+d-b@gmail.com>
Cc: debian-boot@lists.debian.org
Subject: Re: where to find secure download of installer kernel
From: Steve McIntyre <steve@einval.com>
Date: Thu, 1 Feb 2018 14:48:44 +0000
Message-id: <[🔎] 20180201144844.ws6xlc6gfwgan562@tack.einval.com>
In-reply-to: <[🔎] CAA0mmj+Qu+9H2uedPOX-16ui+EMjkbhMrqhps-MLtwYwbK8SrQ@mail.gmail.com>
References: <[🔎] CAA0mmj+Qu+9H2uedPOX-16ui+EMjkbhMrqhps-MLtwYwbK8SrQ@mail.gmail.com>

On Thu, Feb 01, 2018 at 02:33:25PM +0000, Sam Overton wrote:
>Hi,
>
>I'm trying to download a copy of vmlinuz and initrd.gz from
>
>${MIRROR}/debian/dists/stretch/main/installer-amd64/current/images/hd-media/
>
>All Debian mirrors appear to be HTTP only, and since these files are not deb
>packages, there is no GPG signing of the files. The mirror contains checksums,
>but these are also served over insecure HTTP.
>
>What is the secure way to download and verify these files?

The file ${MIRROR}/debian/dists/stretch/Release has checksums for
main/installer-amd64/current/images/MD5SUMS, and there is a signature
in Release.gpg.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
          note stuck to the mini-bar saying "Paul: This fridge and
          fittings are the correct way around and do not need altering"

Reply to:

References:
- where to find secure download of installer kernel
  - From: Sam Overton <samoverton+d-b@gmail.com>

Prev by Date: Re: where to find secure download of installer kernel
Next by Date: Accepted hw-detect 1.130 (source) into unstable
Previous by thread: Re: where to find secure download of installer kernel
Next by thread: Accepted hw-detect 1.130 (source) into unstable
Index(es):
- Date
- Thread