Re: Proposal to augment CD/faq/#verify, version 2

To: debian-cd@lists.debian.org
Subject: Re: Proposal to augment CD/faq/#verify, version 2
From: Max Nikulin <manikulin@gmail.com>
Date: Wed, 11 Sep 2024 22:44:45 +0700
Message-id: <[🔎] 6c543549-a97f-44c4-8cff-dcf07fab2b26@gmail.com>
In-reply-to: <[🔎] 21362309991376147109@scdbackup.webframe.org>
References: <[🔎] 47030274-bab2-4141-8a74-9e9ecdb508e0@gmail.com> <[🔎] 21362309991376147109@scdbackup.webframe.org>

On 10/09/2024 01:22, Thomas Schmitt wrote:

i wrote:

$ gpg --keyserver keyring.debian.org --recv-keys 64E6EA7D 6294BE9B 09EA8AC3


Max Nikulin wrote:

Despite I do not expect keys having collisions for 32 bit identifiers
uploaded to keyring.debian.org, I think, it is better to use 64 bit
identifiers here

[...]

This is not an additional security problem in the proposed instructions
because they prescribe to compare the fingerprint, not the subset of the
fingerprint which is the key id.

I am not trying to say that it is insecure in *this specific case*.However from my point of view, it is better to follow generalrecommendations and to avoid a command that might be more risky in thecase of other key server and other short keys. I do not like the idea ofshowing users bad examples. Anyway this command is intended forcopy-paste. I do not insist, it is just my opinion.

I am unsure if there are drawback of the following recipe. Debian users may
try:
sudo apt install debian-keyring


Wouldn't that import all keys ?

It does not import keys, it is necessary to specify a keyring from thispackage explicitly.

If so, then if the short ids impose any problem, downloading all keys
would be even more of a problem.

The idea is that content of this keyring may be trusted to the samedegree as other installed packages. In addition, gpgv does not touchuser's keyring and it may or may not be an advantage.

Nowadays SUMS files may be obtained using https: protocol from
cdimage.debian.org even if image file is downloaded from a local mirror. It
is secure enough.


It is not. Most obviously because if you do not trust the download of
the ISO image, then you cannot trust the SUMS files from the same
directory and via the same internet connection.

No, I was trying to describe a case opposite to "the same directory". Ican download .iso using BitTorrent or from a local mirror that is notlisted on the Debian site. However SUSM files are small and can beinstantly fetched namely from cdimage.debian.org as the primary source.


On 09/09/2024 17:45, Thomas Schmitt wrote:

(Note that i know sha512sum option --ignore-missing. But old Debian
systems like Jessie do not know it.)

To keep FAQ concise, I would consider using --ignore-missing despiteJessie has not reached extended LTS EOL yet. More complicated and moreportable way is perfectly suitable for the wiki article.


Perhaps
    grep "^$computed " SHA512SUMS
is a way to avoid final "test" command.

My idea with isosize without -x and "head -c BYTES" posted todebian-user was another attempt to simplify the recipe by avoidingseparate bs= and count= dd arguments.

Reply to:

References:
- Re: Proposal to augment CD/faq/#verify, version 2
  - From: Max Nikulin <manikulin@gmail.com>
- Re: Proposal to augment CD/faq/#verify, version 2
  - From: "Thomas Schmitt" <scdbackup@gmx.net>

Prev by Date: Re: Proposal to augment CD/faq/#verify, version 2
Next by Date: Add public debian/debian-cd mirror US
Previous by thread: Re: Proposal to augment CD/faq/#verify, version 2
Next by thread: Add public debian/debian-cd mirror US
Index(es):
- Date
- Thread