Re: Should not .torrent files be listed in SHA512SUMS et.al. ?

To: Thomas Schmitt <scdbackup@gmx.net>
Cc: debian-cd@lists.debian.org
Subject: Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
From: Steve McIntyre <steve@einval.com>
Date: Tue, 13 Feb 2018 14:48:49 +0000
Message-id: <[🔎] 20180213144849.so27niwvb3gp5l3g@tack.einval.com>
In-reply-to: <[🔎] 29992774361654283926@scdbackup.webframe.org>
References: <[🔎] 29992774361654283926@scdbackup.webframe.org>

On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote:
>Hi,
>
>after having looked at
>  https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/
>i wonder whether the .torrent files are sufficently signed on their own.
>At least they are not listed in the *SUMS files.
>
>Is this a similar security problem as with the .jigdo files ?
>
>(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.)

As I understand it, BitTorrent works differently so it's not an
issue. People don't grab the .torrent files directly from our http(s)
sites, but instead using the torrent tracker itself.

That's why I've never added the checksums for them.

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"Further comment on how I feel about IBM will appear once I've worked out
 whether they're being malicious or incompetent. Capital letters are forecast."
 Matthew Garrett, http://www.livejournal.com/users/mjg59/30675.html

Reply to:

Follow-Ups:
- Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
  - From: Wouter Verhelst <wouter@debian.org>

References:
- Should not .torrent files be listed in SHA512SUMS et.al. ?
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Should not .torrent files be listed in SHA512SUMS et.al. ?
Next by Date: firmware-buster cannot download
Previous by thread: Should not .torrent files be listed in SHA512SUMS et.al. ?
Next by thread: Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
Index(es):
- Date
- Thread