Bug#887830: debian-cd: .jigdo files should be listed in the SUMS files

To: submit@bugs.debian.org
Subject: Bug#887830: debian-cd: *.jigdo files should be listed in the *SUMS files
From: "Thomas Schmitt" <scdbackup@gmx.net>
Date: Sat, 20 Jan 2018 12:54:24 +0100
Message-id: <[🔎] 20724784729804443866@scdbackup.webframe.org>
Reply-to: "Thomas Schmitt" <scdbackup@gmx.net>, 887830@bugs.debian.org

Package: debian-cd
Severity: normal
Tags: upstream

Dear Maintainer,

as described in
  https://lists.debian.org/debian-cd/2018/01/msg00019.html
the *.jigdo files are not listed in the checksum files *SUMS.
There is no way provided to check the authenticity of *.jigdo before
downloading by jigdo-lite begins.

The *.jigdo file provides package file paths, the URLs of fallback
mirrors, and the cheksum of the *.template file. So *.template can
inflate to an image of arbitrary size and jigdo-lite can be lured into
downloading arbitrary URLs.


Have a nice day :)

Thomas

Reply to:

Follow-Ups:
- Bug#887830: debian-cd: *.jigdo files should be listed in the *SUMS files
  - From: shirish शिरीष <shirishag75@gmail.com>

Prev by Date: Re: override: downgrade priority of all libraries to optional
Next by Date: Re: override: wget:web/standard
Previous by thread: Re: Bug#846982: override: downgrade priority of all libraries to optional
Next by thread: Bug#887830: debian-cd: *.jigdo files should be listed in the *SUMS files
Index(es):
- Date
- Thread

Bug#887830: debian-cd: *.jigdo files should be listed in the *SUMS files

Bug#887830: debian-cd: .jigdo files should be listed in the SUMS files