Hi,
isn't
it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY
hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO
file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS)
ENCRYPTED connection ? !!! (from the primary domain/server "debian.org"
or "www.debian.org" website, or from the subdomain "cdimage.debian.org") ! do you not notice it !!! ?
To me it seems like, You are telling your users, that, Hey uses! here is the ISO file (get it over open & non-encrypted HTTP connection), and to check this ISO file's authenticity, you will need an Integrity HASH code file from us, BUT we cannot give you/user this integrity-file over a direct ENCRYPTED and (SSL/TLS certificate & DANE DNSSEC) verified connection, SO you must accept the INTEGRITY code-file over modifiable & open & eavesdropped connection. Such way obtained any SUMS/INTEGRITY files or SIGN files ARE USELESS, and do not have any sure-integrity in them anymore.
in
http://cdimage.debian.org subdomain website+webpages, please enable SSL/TLS cert based HTTPS daemon. Then users can access it over HTTPS encrypted connection.
Please ENABLE URL-redirecting in your server-side HTTPS-daemon to change CD/ISO large-file's URL from HTTPS into HTTP, and make sure users can download all tiny INTEGRITY files, CheckSums, Hash, Sign, etc files, over HTTPS ENCRYPTED connection.
If HTTPS cannot be enabled in "cdimage.debian.org" subdomain, then please transfer all those tiny files (CheckSUMS, Hash, Integrity, Sign, etc) for last-stable release under primary domain somewhere, here:
https://www.debian.org/CD/verify
If
above steps are done, THEN very-large sized (few GIGABYTES sized)
ISO-file's can be delivered to users, or users can obtain, over
non-encrypted HTTP or FTP etc connection. In fact, all users should be
forced to download large-sized ISO file over HTTP non-encrypted connection (by using
url-redircting in web-server side), ONLY WHEN INTEGRITY CODEs & PUBKEY are
downloadable OVER/THRU (HTTPS/HKPS) ENCRYPTED CONNECTION.
But currently your subdomain "cdimage.debian.org" is not accessible over HTTPS ENCRYPTED connection, so none of the tiny INTEGRITY files or Sign-files, cannot be obtained by any users securely.
CD/DVD
image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS INTEGRITY
FILES (or ISO file-signing or ISO integrity-code file signing GPG PUBKEY FILE), all of these files are very very TINY SIZED FILES (few KILOBYTES
only), compared to the VERY large-sized main file, the ISO files. So
AT-LEAST sig/sign file + Sums/Hash code files (and file-signing Pubkey file), need to be shared with
all users (from "https://cdimage.debian.org" or
"https://www.debian.org/CD/" website or "https://keyring.debian.org/" website) over HTTPS encrypted
connection/transfer.
if those tiny
files are downlaodable over HTTPS encrypted connection, then users can
match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted
connection) from SUMS/hash integrity file, with the calculated hash code
of the downloaded ISO file, (or by using a GPG tool, user can verify
the authenticity of downloaded ISO file, by using securely downloaded
signature file).
since
"Debian.org" website (primary domain) is now already DNSSEC signed by it's own
developers :) and website's used TLS/SSL cert is also defined+declared
in TLSA/DANE dns record :) so all HTTPS webpage INFO from primary
website ("https://www.debian.org/") are already (SSL/TLS CA, and, DANE
DNSSEC), double channel (aka, double TA) verified. Users can very
easily see indication (for free or almost at no-cost) of this
double-verification, if they use https://www.dnssec-validator.cz/ addon
in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full
dnssec supported dns-resolver, (like "unbound" from
https://www.unbound.net/ is used).
please
MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN
THAT "verify" WEBPAGE, so that all users+people can know there are OTHER
existing & alternative & trustworthy ways, to
verify/authenticate, And "debian.org" website & it's devs have
already implemented+using them. Unless you mention about "DNSSEC" in
that "verify" webpage, how else would people know about using this
alternative ? !!! don't assume every1 is traveling around the world
& meeting correct people all the time, & know all kinds of
(correct) ways.
please
allow your/debian users to enjoy & utilize this
double-verification, for getting tiny file-integrity (sums/hash) code
files, over HTTPS based encrypted connection from a DNSSEC signed &
DANE authenticated website.
Please fix these issues, and update your website. Thank you.
I'm
also posting, a similar (not exactly same) request, in Debian-CD
Mailing-list, as it requires attention from packagers & devs working
on CDs/DVDs, to place & show the integrity-files into primary
domain (along with showing in "cdimage" subdomain). Also posting a
similar (not exactly same) request in Debian-www Mailing-list, as it
requires them to update SSL cert for the "keyring" & "cdimage"
subdomain & update the "verify" webpage. Keeping Debian-Security
Mailing-list discussion in detail, here, as it involves Debian installer
& related file's integrity & Debian webserver's data TRANSFER
security.
-- Erik.