[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#770870: cdimage.debian.org: Untrustworthy key used to sign SHA512SUMS: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

Package: cdimage.debian.org
Severity: important

Dear Maintainer,

Debian 7.7 SHA512SUMS are signed with a key that doesn't appear to be signed
by anyone on the Debian keyring, leaving SHA512SUMS unverifiable by any easy

Please note that I have the debian keyring installed in GPG on the machine
on which the following operation was performed.

$ gpg --verify SHA512SUMS.sign
gpg: Signature made Sun Oct 19 19:45:39 2014 PDT using RSA key ID 6294BE9B
gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258  9D76 DA87 E80D 6294 BE9B

Meanwhile, it appears this has been noted as a problem since 2011 on the
Debian forums: http://forums.debian.net/viewtopic.php?f=17&t=62272&p=561324

I shouldn't need to remind anyone that we are living in an age of known
MitM attacks versus FOSS software downloads.  Verifying Debian ISOs NEEDS TO
BE EASY.  I can pretty much guarantee you I'm the 1 in 100 users who wouldn't
have given up reporting this when:

* I got an HTTP 500 from the "HyperEstraier based search engine" for Debian
  bugs at http://bugs-search.debian.org/cgi-bin/search.cgi when I looked to
  see if it had already been reported

* I came up against the 11-printed-pages wall of text at https://www.debian.org/Bugs/Reporting

* I found through the wall of text that there was no web interface for bug
  reporting, in this, the Year of Our Lord 2014

* I had to install 'reportbug' on a random Raspberry Pi just to get you this

I know that producing Debian is hard work and that Debian is an accretion of
decades of hard work, but peeps.  Snowden.  NSA.  This is not 1998.  Verifying
downloaded software needs to be EASY TO DO, and you might want bug reporting
to be easy to do, too, even though it involves dealing with lots of dupes from
noobs - if your system is byzantine and/or broken enough to put off actual
software developers, it's ungood.

-- System Information:
Debian Release: 7.6
Architecture: armhf (armv6l)

Kernel: Linux 3.12.28+ (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Reply to: