Bug#901642: marked as done (No gpg signature for SHA256SUM of "Tiny CDs, flexible USB sticks, etc.")

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 16 Jun 2018 01:16:51 +0100
with message-id <20180616001651.tkoovnlbtfbyt3b4@tack.einval.com>
and subject line Re: Bug#901642: No gpg signature for SHA256SUM of "Tiny CDs, flexible USB sticks, etc."
has caused the Debian Bug report #901642,
regarding No gpg signature for SHA256SUM of "Tiny CDs, flexible USB sticks, etc."
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
901642: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901642
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: No gpg signature for SHA256SUM of "Tiny CDs, flexible USB sticks, etc."
• From: Alexander Couzens <lynxis@fe80.eu>
• Date: Sat, 16 Jun 2018 00:35:04 +0200
• Message-id: <[🔎] 20180616003504.4574ba71@lazus.yip>

Package: debian-cd

There is no gpg signature for SHA256SUM file.
So there is no way to verify the images originates from the debian.

Via http:// do:

debian.org -> Getting Debian -> Download an installation image ->
Tiny CDs, flexible USB sticks, etc. -> amd64 -> 
http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/

Attachment: pgprTmNRpyyVD.pgp
Description: OpenPGP digital signature

--- End Message ---

--- Begin Message ---

• To: Alexander Couzens <lynxis@fe80.eu>, 901642-done@bugs.debian.org
• Subject: Re: Bug#901642: No gpg signature for SHA256SUM of "Tiny CDs, flexible USB sticks, etc."
• From: Steve McIntyre <steve@einval.com>
• Date: Sat, 16 Jun 2018 01:16:51 +0100
• Message-id: <20180616001651.tkoovnlbtfbyt3b4@tack.einval.com>
• In-reply-to: <[🔎] 20180616003504.4574ba71@lazus.yip>
• References: <[🔎] 20180616003504.4574ba71@lazus.yip>

On Sat, Jun 16, 2018 at 12:35:04AM +0200, Alexander Couzens wrote:
>Package: debian-cd
>
>There is no gpg signature for SHA256SUM file.
>So there is no way to verify the images originates from the debian.
>
>Via http:// do:
>
>debian.org -> Getting Debian -> Download an installation image ->
>Tiny CDs, flexible USB sticks, etc. -> amd64 -> 
>http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/

Hey Alexander,

There is a trust chain there, in fact - look in

  http://ftp.nl.debian.org/debian/dists/stretch/Release 

which is signed by the associated Release.gpg. I'll admit that it
should be easier to find than this... :-/

-- 
Steve McIntyre, Cambridge, UK.                                steve@einval.com
"C++ ate my sanity" -- Jon Rabone

--- End Message ---