Bug#721623: marked as done (release.debian.org: installer images are not signed.)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Mon, 02 Sep 2013 18:22:28 +0200
with message-id <5224BB44.7070607@debian.org>
and subject line Re: Bug#721623: release.debian.org: installer images are not signed.
has caused the Debian Bug report #721623,
regarding release.debian.org: installer images are not signed.
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
721623: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721623
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: release.debian.org: installer images are not signed.
• From: Michal Suchanek <michal.suchanek@ruk.cuni.cz>
• Date: Mon, 02 Sep 2013 15:45:13 +0200
• Message-id: <20130902134513.15543.14439.reportbug@OptiPlex960.ruk.cuni.cz>

Package: release.debian.org
Severity: important

Hello,

the installer images (such as released on
http://http.us.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/)
have SHA and MD5 signatures but no signature whatsoever.

How is one supposed to verify the integrity of the installers?

Thanks


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (500, 'testing'), (410, 'unstable'), (200, 'experimental'), (150, 'precise-updates'), (150, 'precise-security'), (150, 'precise')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/bash

--- End Message ---

--- Begin Message ---

• To: 721623-done@bugs.debian.org
• Subject: Re: Bug#721623: release.debian.org: installer images are not signed.
• From: Ansgar Burchardt <ansgar@debian.org>
• Date: Mon, 02 Sep 2013 18:22:28 +0200
• Message-id: <5224BB44.7070607@debian.org>
• In-reply-to: <20130902134513.15543.14439.reportbug__10750.5788597793$1378129707$gmane$org@OptiPlex960.ruk.cuni.cz>
• References: <20130902134513.15543.14439.reportbug__10750.5788597793$1378129707$gmane$org@OptiPlex960.ruk.cuni.cz>

On 09/02/2013 15:45, Michal Suchanek wrote:
> Package: release.debian.org
The right pseudo-package would be ftp.debian.org.

> the installer images (such as released on
> http://http.us.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/)
> have SHA and MD5 signatures but no signature whatsoever.
> 
> How is one supposed to verify the integrity of the installers?

dists/*/Release and dists/*/InRelease are signed and include a hash for
the MD5SUMS/SHA1SUMS hashes in the installer directory:

 35[...]    10309 main/installer-amd64/20130613/images/MD5SUMS
 d8[...]    14289 main/installer-amd64/20130613/images/SHA256SUMS

Ansgar

--- End Message ---