[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#892803: di-netboot-assistant: unsigned daily images

Matt Taggart <matt@lackof.org> (2018-03-13):
> In the package provided di-sources.list file, in the daily section,
> there are the following comments,
>   ## Daily netboot DI images (not signed?!?). Read:
>   # https://d-i.debian.org/daily-images/build-logs.html
>   # http://wiki.debian.org/DebianInstaller/Today

https://d-i.debian.org/daily-images/daily-build-overview.html is what
should be advertised. The other one was broken in the first place, and
is only kept for the debian-cd part which wasn't integrated in the
“new” view yet. The web server serving the cdimage logs has been shut
down anyway IIRC from a few weeks ago.

And yeah, nobody maintains /Today…

> It would be nice if the d-i daily's were signed, even if they had to
> use a different key that I would then need to install on the system so
> that this di-netboot-assistant check could use. Is there already a bug
> open requesting daily image signing? If not then maybe this one can be
> cloned and reassigned to the right place.

I don't think that's a reasonable thing to do. Images are built on
porterboxes, centralized on dillon, which is used for quite a number
of other things.

What extra security would signing images bring here?

Cyril Brulebois (kibi@debian.org)            <https://debamax.com/>
D-I release manager -- Release team member -- Freelance Consultant

Attachment: signature.asc
Description: PGP signature

Reply to: