Re: Should not .torrent files be listed in SHA512SUMS et.al. ?
On Wed, Feb 14, 2018 at 12:41:41PM +0100, Wouter Verhelst wrote:
>On Tue, Feb 13, 2018 at 02:48:49PM +0000, Steve McIntyre wrote:
>> On Tue, Feb 13, 2018 at 03:41:14PM +0100, Thomas Schmitt wrote:
>> >after having looked at
>> > https://cdimage.debian.org/debian-cd/current/amd64/bt-dvd/
>> >i wonder whether the .torrent files are sufficently signed on their own.
>> >At least they are not listed in the *SUMS files.
>> >Is this a similar security problem as with the .jigdo files ?
>> >(I have no clue of BitTorrent. So a simple "Don't worry" would be enough.)
>> As I understand it, BitTorrent works differently so it's not an
>> issue. People don't grab the .torrent files directly from our http(s)
>> sites, but instead using the torrent tracker itself.
>That really depends on the torrent tracker. Some allow you to enter the
>URL to the .torrent file in the tracker, some allow you to enter a
>magnet URL, some allow you to download the .torrent file and then run
>the tracker on the file, and some (most) allow any of the above.
>Since almost none actually allow you to verify a signature on the
>.torrent file, and since I think that's kindof a good idea, I think you
>should do so :-)
OK, fair point. I'll add these too.
Steve McIntyre, Cambridge, UK. email@example.com
"Since phone messaging became popular, the young generation has lost the
ability to read or write anything that is longer than one hundred and sixty
characters." -- Ignatios Souvatzis