Re: Would be possible to have a ".treeinfo" file added to the installers' page?
Paul,
On Fri, Dec 7, 2018 at 1:34 PM Paul Wise <pabs@debian.org> wrote:
>
> On Fri, Dec 7, 2018 at 8:23 PM Fabiano Fidêncio wrote:
>
> > I sincerely don't know. But how is it different from accessing the
> > trees nowadays and hard-coding the paths to the kernel and initrd in
> > the apps?
>
> Accessing hardcoded URLs (to .treeinfo or other files) isn't a good
> idea in case they change.
>
> > For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
> > isn't even available over TLS also.
>
> It is however protected in the same way all of the archive is, using
> OpenPGP signatures on the Release files and a hash chain to the files
> themselves.
>
> http://ftp.debian.org/debian/dists/stretch/Release
> http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS
>
> > So, not saying that we shouldn't care about MITM attacks, just trying
> > to understand how different the policy would be for this one file than
> > it currently is for the rest of the installer tree.
>
> If a .treeinfo were added for each of the installer directories, I
> assume it wouldn't be treated any different to the other files in
> those directories.
>
> > In any case, I'm more than happy to hear suggestions from the
> > community on how we could distinguish the installer trees on our side
> > if not using .treeinfo files.
>
> Personally, until something better exists (such as .treeinfo) I would
> be using the apt repository metadata. It seems to contain similar info
> to the example treeinfo you quoted anyway.
Would you mind to point me to one of the apt repository metadata?
I'd like to see its structure and what's the info provided (and mainly
how we, as libosinfo, could fetch information about the kernel/initrd
and OS version from there). If all the info is provided there, it may
be the way to go.
Best Regards,
--
Fabiano Fidêncio
Reply to: