Re: Would be possible to have a ".treeinfo" file added to the installers' page?
On Fri, Dec 7, 2018 at 1:16 PM Paul Wise <email@example.com> wrote:
> On Fri, Dec 7, 2018 at 6:37 PM Fabiano Fidêncio wrote:
> > So, what I'm looking for is something like:
> > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/.treeinfo,
> > where the .treeinfo would have something like:
> None of the examples you have linked to or quoted appears to be
> OpenPGP signed and some of them are not even available over TLS. I see
> some of them do have cryptographic hashes though. Does treeinfo have
> any protection against MITM attacks?
I sincerely don't know. But how is it different from accessing the
trees nowadays and hard-coding the paths to the kernel and initrd in
For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
isn't even available over TLS also.
So, not saying that we shouldn't care about MITM attacks, just trying
to understand how different the policy would be for this one file than
it currently is for the rest of the installer tree.
In any case, I'm more than happy to hear suggestions from the
community on how we could distinguish the installer trees on our side
if not using .treeinfo files.