Re: Would be possible to have a ".treeinfo" file added to the installers' page?

To: pabs@debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
From: Fabiano Fidêncio <fabiano@fidencio.org>
Date: Fri, 7 Dec 2018 13:23:06 +0100
Message-id: <[🔎] CAK9pz9KK4HGxCf=w39QeezeekShtSA+8fLSjgS-XHRAzbLLHBA@mail.gmail.com>
In-reply-to: <[🔎] CAKTje6Gsp=FSODatRXa6FDxoEYRQXxqwoMTvPQ5J5=1N8J3Mcg@mail.gmail.com>
References: <[🔎] CAK9pz9+D2W2+5x1Nwe_+vXhmafOKe3gehrycudPHm38YKX75FQ@mail.gmail.com> <[🔎] 20181207101027.GA3726@debian.org> <[🔎] CAK9pz9KXod48jkcpv-Kx6THjbT-U_YNWKwNHAFxW2mnPgVm3-Q@mail.gmail.com> <[🔎] CAKTje6Gsp=FSODatRXa6FDxoEYRQXxqwoMTvPQ5J5=1N8J3Mcg@mail.gmail.com>

On Fri, Dec 7, 2018 at 1:16 PM Paul Wise <pabs@debian.org> wrote:
>
> On Fri, Dec 7, 2018 at 6:37 PM Fabiano Fidêncio wrote:
>
> > So, what I'm looking for is something like:
> > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/.treeinfo,
> > where the .treeinfo would  have something like:
>
> None of the examples you have linked to or quoted appears to be
> OpenPGP signed and some of them are not even available over TLS. I see
> some of them do have cryptographic hashes though. Does treeinfo have
> any protection against MITM attacks?

I sincerely don't know. But how is it different from accessing the
trees nowadays and hard-coding the paths to the kernel and initrd in
the apps?
For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
isn't even available over TLS also.

So, not saying that we shouldn't care about MITM attacks, just trying
to understand how different the policy would be for this one file than
it currently is for the rest of the installer tree.

In any case, I'm more than happy to hear suggestions from the
community on how we could distinguish the installer trees on our side
if not using .treeinfo files.

Best Regards,
-- 
Fabiano Fidêncio

Reply to:

Follow-Ups:
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Paul Wise <pabs@debian.org>

References:
- Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Antonio Terceiro <terceiro@debian.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: git vs dfsg tarballs
Next by Date: Re: git vs dfsg tarballs
Previous by thread: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Next by thread: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Index(es):
- Date
- Thread