Bug#932272: [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed

To: submit@bugs.debian.org
Subject: Bug#932272: [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed
From: Michael Kesper <mkesper@schokokeks.org>
Date: Wed, 17 Jul 2019 10:54:52 +0200
Message-id: <[🔎] 304e2b18-891c-c333-6b70-1acf92b12907@schokokeks.org>
Reply-to: Michael Kesper <mkesper@schokokeks.org>, 932272@bugs.debian.org

Package: debian-installer
Severity: important
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

--- Please enter the report below this line. ---

Images for system installation need to be checkable against
tampering, otherwise breaking any security chain.
That's why Debian CD-Images come with sha*sums which are signed by
Debian CD signing keys (https://www.debian.org/CD/verify).

This is not the case for all "other images" (hd-media, netboot).
They're official ways of installing Debian, being mentioned in
the install manual:
https://www.debian.org/releases/stable/amd64/ch04s02.de.html#where-files

Is there a way to make sure one gets something officially released by
Debian when using these install media?

Bye
Michael

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Bug#932272: marked as done ([debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#689528: please add virtio support for cdrom at install time
Next by Date: Bug#932258: console-setup-freebsd: missing dependency
Previous by thread: Bug#689528: please add virtio support for cdrom at install time
Next by thread: Bug#932272: marked as done ([debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed)
Index(es):
- Date
- Thread