[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian testing ISOs not GPG signed?

On Sun, 9 Mar 2014, Steve McIntyre wrote:

On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote:

I just wanted to reinstall my system on new hardware so I downloaded the current
Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/)
build. After downloading it, I wanted to verify the integrity of the ISO (as I
was used to from the stable builds). But I did not find a signed checksum file.
Are testing builds not signed?? Is there another way to check the integrity of
the testing ISOs?

We (I) don't sign any of the non-release builds on cdimage, no. Only
official stable and beta releases are signed, meaning that they've
undergone some manual verification and testing. It's a deliberate
policy not to sign the testing images, so as to avoid keeping PGP key
material on a remote server.

It might be worth doing automatic signatures by a clearly labeled automatic signing key, just to reducing the risk of someone installing from a maliciously altered image. I do agree that the proper release signing is not doable for testing images though.

/Mattias Wadenstein

Reply to: