Your message dated Wed, 17 Jul 2019 16:32:20 +0200 with message-id <20190717143220.qjsfhdairwc6hprt@mraw.org> and subject line Re: Bug#932272: [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed has caused the Debian Bug report #932272, regarding [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 932272: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932272 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed
- From: Michael Kesper <mkesper@schokokeks.org>
- Date: Wed, 17 Jul 2019 10:54:52 +0200
- Message-id: <[🔎] 304e2b18-891c-c333-6b70-1acf92b12907@schokokeks.org>
Package: debian-installer Severity: important Tags: security X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org --- Please enter the report below this line. --- Images for system installation need to be checkable against tampering, otherwise breaking any security chain. That's why Debian CD-Images come with sha*sums which are signed by Debian CD signing keys (https://www.debian.org/CD/verify). This is not the case for all "other images" (hd-media, netboot). They're official ways of installing Debian, being mentioned in the install manual: https://www.debian.org/releases/stable/amd64/ch04s02.de.html#where-files Is there a way to make sure one gets something officially released by Debian when using these install media? Bye MichaelAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
- To: Michael Kesper <mkesper@schokokeks.org>, 932272-done@bugs.debian.org
- Cc: secure-testing-team@lists.alioth.debian.org
- Subject: Re: Bug#932272: [debian-installer] Shasums of "other image" variants (hd-media, netboot etc.) not signed
- From: Cyril Brulebois <kibi@debian.org>
- Date: Wed, 17 Jul 2019 16:32:20 +0200
- Message-id: <20190717143220.qjsfhdairwc6hprt@mraw.org>
- In-reply-to: <[🔎] 304e2b18-891c-c333-6b70-1acf92b12907@schokokeks.org>
- References: <[🔎] 304e2b18-891c-c333-6b70-1acf92b12907@schokokeks.org>
Michael Kesper <mkesper@schokokeks.org> (2019-07-17): > Images for system installation need to be checkable against > tampering, otherwise breaking any security chain. > That's why Debian CD-Images come with sha*sums which are signed by > Debian CD signing keys (https://www.debian.org/CD/verify). > > This is not the case for all "other images" (hd-media, netboot). > They're official ways of installing Debian, being mentioned in > the install manual: > https://www.debian.org/releases/stable/amd64/ch04s02.de.html#where-files > > Is there a way to make sure one gets something officially released by > Debian when using these install media? Sure, look at the Release file? See check_file_against_release in get-images.sh (from dini aka. d-i-n-i aka. debian-installer-netboot-images source package, mentioned in my other reply regarding PXE booting). Cheers, -- Cyril Brulebois (kibi@debian.org) <https://debamax.com/> D-I release manager -- Release team member -- Freelance ConsultantAttachment: signature.asc
Description: PGP signature
--- End Message ---