Hello list,In the Debian-installer main menu the entry 'Check the integrity of installation media' verifies whether the currently booted image is untampered (package=cdrom-checker).
It reads the file 'md5sum.txt' and verifies all files listed there [1].In live-build we provide sha256sum.txt since 2020-03-18, since MD5 checksums are known to be insecure.
There are good instructions on the download pages [2] that help with verification of the downloaded ISO file using sha256 and sha512, but the verification on a booted medium uses only md5.
Could/Should the checksum file be upgrade to use sha256 instead of md5? I could provide a MR if desired.
The cost: 32 additional bytes per file. (With currently about 1200 files that would be 38KiB)
With kind regards, Roland Clobus [1] https://sources.debian.org/src/cdrom-checker/1.65/main.c/#L115 [2] https://get.debian.org/images/weekly-live-builds/amd64/iso-hybrid/
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature