Should not .jigdo files be in SHA512SUMS ?
while working on my JigdoOnLive wiki page i got pointed by Paul Wise
to the fact that the "https:" URLs of cdimage.debian.org files do not
really protect their file content against tampering.
I am quite sure that the .jigdo files get not verified by jigdo-lite
beyond (possibly) the gzip checksum.
There is no entry in the *SUMS files which accompany the .jigdo files
at cdimage.debian.org/debian-cd/current/*/jigdo-*/. The files do not
even bear an inner checksum to surely protect them against transmission
errors (gzip CRC is 32 bit, afaik).
Some undesirable aspects:
- Manipulated .jidgo and .template file could lure jigdo-lite into letting
wget download arbitrary URLs.
- The .iso.tmp file could inflate to arbitrary size.
- jigdo-lite's affirmative final statement about matching checksum could
lure people into omitting the *SUMS/*SUMS.sign verification.
If the .jigdo files would be listed in the *SUMS files, then we could at
least rely on the "Template Hex MD5Sum" inside .jigdo.
Better would be if .template would be listed in *SUMS, too, and if we add
# Template Hex SHA512Sum ...
to the .jigdo file.
We should check whether jigdo-lite or jigdo-file really make use of the
Template and Image checksums in the .jigdo file. (I suspect that its only
MD5, at best.)
Putting new files into *SUMS would have to be done by debian-cd et.al.
The additional SHA512 line in .jigdo would have to done in libjte.
I'd volunteer if Steve McIntyre gives his OK to the plan.
Auditing of jigdo-lite in respect to checksums is in my reach, too.
I will report if i find something especially worrying.
But: The more eyes, the better.
Have a nice day :)