Re: Would be possible to have a ".treeinfo" file added to the installers' page?
On Fri, Dec 7, 2018 at 8:23 PM Fabiano Fidêncio wrote:
> I sincerely don't know. But how is it different from accessing the
> trees nowadays and hard-coding the paths to the kernel and initrd in
> the apps?
Accessing hardcoded URLs (to .treeinfo or other files) isn't a good
idea in case they change.
> For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
> isn't even available over TLS also.
It is however protected in the same way all of the archive is, using
OpenPGP signatures on the Release files and a hash chain to the files
> So, not saying that we shouldn't care about MITM attacks, just trying
> to understand how different the policy would be for this one file than
> it currently is for the rest of the installer tree.
If a .treeinfo were added for each of the installer directories, I
assume it wouldn't be treated any different to the other files in
> In any case, I'm more than happy to hear suggestions from the
> community on how we could distinguish the installer trees on our side
> if not using .treeinfo files.
Personally, until something better exists (such as .treeinfo) I would
be using the apt repository metadata. It seems to contain similar info
to the example treeinfo you quoted anyway.