---------- Forwarded message ----------
From:
Naja Melan <najamelan@gmail.com>Date: Sun, Jan 2, 2011 at 10:55 PM
Subject: Re: question regarding verification of a debian installation iso
To: Arthur de Jong <
adejong@debian.org>
Arthur,
I wholeheartedly agree with everything you write. I also think https has serious drawbacks. So does a web of trust. However, we have to do it with the means we have. https has the major advantage that is works reasonably well for a public user (eg, potentially non geek (not in a pgp web of trust), likely not connected to debian developers). Security is like a pyramid, with the operating system quite at the top. In principle the higher near the top, the more serious people should take security. To the extend that an os should have an impeccable policy in that sense, and an impeccable execution of that policy.
Considering thus that https exists, in lack of anything better or equal, it is a pisstake if you can not even get you operating system verified at the level of security offered by https. By the way, the link you sent is not certified.
I have found in the meanwhile the MD5 hashes of ubuntu iso's on their wiki, but considering that they are only offering MD5 it is questionable how serious they take security anyway.
so personally Im not in a pgp web of trust (and personally I wouldn't trust that much more than https).
still looking for practical inspiration,
greetz,
naja melan