Re: Debian testing ISOs not GPG signed?
On Sun, 9 Mar 2014, Steve McIntyre wrote:
On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote:
I just wanted to reinstall my system on new hardware so I downloaded the current
Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/)
build. After downloading it, I wanted to verify the integrity of the ISO (as I
was used to from the stable builds). But I did not find a signed checksum file.
Are testing builds not signed?? Is there another way to check the integrity of
the testing ISOs?
We (I) don't sign any of the non-release builds on cdimage, no. Only
official stable and beta releases are signed, meaning that they've
undergone some manual verification and testing. It's a deliberate
policy not to sign the testing images, so as to avoid keeping PGP key
material on a remote server.
It might be worth doing automatic signatures by a clearly labeled
automatic signing key, just to reducing the risk of someone installing
from a maliciously altered image. I do agree that the proper release
signing is not doable for testing images though.