Your message dated Mon, 02 Sep 2013 18:22:28 +0200 with message-id <5224BB44.7070607@debian.org> and subject line Re: Bug#721623: release.debian.org: installer images are not signed. has caused the Debian Bug report #721623, regarding release.debian.org: installer images are not signed. to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 721623: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721623 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: release.debian.org: installer images are not signed.
- From: Michal Suchanek <michal.suchanek@ruk.cuni.cz>
- Date: Mon, 02 Sep 2013 15:45:13 +0200
- Message-id: <20130902134513.15543.14439.reportbug@OptiPlex960.ruk.cuni.cz>
Package: release.debian.org Severity: important Hello, the installer images (such as released on http://http.us.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/) have SHA and MD5 signatures but no signature whatsoever. How is one supposed to verify the integrity of the installers? Thanks -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (910, 'testing'), (900, 'stable'), (610, 'oldstable'), (500, 'testing'), (410, 'unstable'), (200, 'experimental'), (150, 'precise-updates'), (150, 'precise-security'), (150, 'precise') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.9-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
- To: 721623-done@bugs.debian.org
- Subject: Re: Bug#721623: release.debian.org: installer images are not signed.
- From: Ansgar Burchardt <ansgar@debian.org>
- Date: Mon, 02 Sep 2013 18:22:28 +0200
- Message-id: <5224BB44.7070607@debian.org>
- In-reply-to: <20130902134513.15543.14439.reportbug__10750.5788597793$1378129707$gmane$org@OptiPlex960.ruk.cuni.cz>
- References: <20130902134513.15543.14439.reportbug__10750.5788597793$1378129707$gmane$org@OptiPlex960.ruk.cuni.cz>
On 09/02/2013 15:45, Michal Suchanek wrote: > Package: release.debian.org The right pseudo-package would be ftp.debian.org. > the installer images (such as released on > http://http.us.debian.org/debian/dists/wheezy/main/installer-amd64/current/images/netboot/) > have SHA and MD5 signatures but no signature whatsoever. > > How is one supposed to verify the integrity of the installers? dists/*/Release and dists/*/InRelease are signed and include a hash for the MD5SUMS/SHA1SUMS hashes in the installer directory: 35[...] 10309 main/installer-amd64/20130613/images/MD5SUMS d8[...] 14289 main/installer-amd64/20130613/images/SHA256SUMS Ansgar
--- End Message ---