Re: Debian testing ISOs not GPG signed?
On 09.03.2014 18:03, Mattias Wadenstein wrote:
> On Sun, 9 Mar 2014, Steve McIntyre wrote:
>
>> On Sun, Mar 09, 2014 at 02:17:20PM +0100, Marcel `sdrfnord` McKinnon wrote:
>>>
>>> I just wanted to reinstall my system on new hardware so I downloaded the current
>>> Debian testing (http://cdimage.debian.org/cdimage/weekly-builds/amd64/iso-cd/)
>>> build. After downloading it, I wanted to verify the integrity of the ISO (as I
>>> was used to from the stable builds). But I did not find a signed checksum file.
>>> Are testing builds not signed?? Is there another way to check the integrity of
>>> the testing ISOs?
>>
>> We (I) don't sign any of the non-release builds on cdimage, no. Only
>> official stable and beta releases are signed, meaning that they've
>> undergone some manual verification and testing. It's a deliberate
>> policy not to sign the testing images, so as to avoid keeping PGP key
>> material on a remote server.
>
> It might be worth doing automatic signatures by a clearly labeled
> automatic signing key, just to reducing the risk of someone installing
> from a maliciously altered image.
Would be nice to see this. I guess that there are a lot of "advanced users" of
Debian who always install Debian testing on there workstation and no way to
check the integrity of those images is not such a good idea these days.
> I do agree that the proper release
> signing is not doable for testing images though.
>
> /Mattias Wadenstein
--
Kind regards
Marcel `sdrfnord` McKinnon
Reply to: