Re: Would be possible to have a ".treeinfo" file added to the installers' page?

To: fabiano@fidencio.org
Cc: debian-devel@lists.debian.org
Subject: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
From: Paul Wise <pabs@debian.org>
Date: Fri, 7 Dec 2018 20:34:34 +0800
Message-id: <[🔎] CAKTje6EVKXpG2xaWUkVWWtK6G4TD0z6zSSz26XW0H4ON=3QXSg@mail.gmail.com>
In-reply-to: <[🔎] CAK9pz9KK4HGxCf=w39QeezeekShtSA+8fLSjgS-XHRAzbLLHBA@mail.gmail.com>
References: <[🔎] CAK9pz9+D2W2+5x1Nwe_+vXhmafOKe3gehrycudPHm38YKX75FQ@mail.gmail.com> <[🔎] 20181207101027.GA3726@debian.org> <[🔎] CAK9pz9KXod48jkcpv-Kx6THjbT-U_YNWKwNHAFxW2mnPgVm3-Q@mail.gmail.com> <[🔎] CAKTje6Gsp=FSODatRXa6FDxoEYRQXxqwoMTvPQ5J5=1N8J3Mcg@mail.gmail.com> <[🔎] CAK9pz9KK4HGxCf=w39QeezeekShtSA+8fLSjgS-XHRAzbLLHBA@mail.gmail.com>

On Fri, Dec 7, 2018 at 8:23 PM Fabiano Fidêncio wrote:

> I sincerely don't know. But how is it different from accessing the
> trees nowadays and hard-coding the paths to the kernel and initrd in
> the apps?

Accessing hardcoded URLs (to .treeinfo or other files) isn't a good
idea in case they change.

> For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
> isn't even available over TLS also.

It is however protected in the same way all of the archive is, using
OpenPGP signatures on the Release files and a hash chain to the files
themselves.

http://ftp.debian.org/debian/dists/stretch/Release
http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS

> So, not saying that we shouldn't care about MITM attacks, just trying
> to understand how different the policy would be for this one file than
> it currently is for the rest of the installer tree.

If a .treeinfo were added for each of the installer directories, I
assume it wouldn't be treated any different to the other files in
those directories.

> In any case, I'm more than happy to hear suggestions from the
> community on how we could distinguish the installer trees on our side
> if not using .treeinfo files.

Personally, until something better exists (such as .treeinfo) I would
be using the apt repository metadata. It seems to contain similar info
to the example treeinfo you quoted anyway.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise

Reply to:

Follow-Ups:
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>

References:
- Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Antonio Terceiro <terceiro@debian.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Paul Wise <pabs@debian.org>
- Re: Would be possible to have a ".treeinfo" file added to the installers' page?
  - From: Fabiano Fidêncio <fabiano@fidencio.org>

Prev by Date: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Next by Date: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Previous by thread: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Next by thread: Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Index(es):
- Date
- Thread