[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Fwd: Fwd: question regarding verification of a debian installation iso

Arto Artinian <artinian@fastmail.fm> :
Hi Naja,

I am not sure what your point is here?  You don't trust pgp webs of trust, nor https, nor md5 checksums of debian sources.  I mean, at some point if you want to use software that you didn't exclusively write and/or audit, you're gonna have to implicitly trust someone.  If not, what's the alternative?


My point is:

If we want to seriously speak of security, than we might conceive that at an operating system level, amongst many other things, the issue of getting it from the developer to the user without it being tampered with on the way is quite an important point, less we ridicule ourselves. Currently this is how far I get on a practical level on this particular link of the security chain:

1. Probably the safest thing to do is buy a mac or windows cd in the shop, although there is (for me) no way of knowing how safe that really is.
2. Some linux distro's I see now do have certified https, like fedora which puts gpg fingerprints (SHA1) of their public keys on their certified website.
3. Other distros have md5 hashes over certified https, like ubuntu. (virtually a shared fourth place with debian)
4. debian, which for a general user which has not been able to in a safe way obtain a chain of trust to the Debian CD signing key (read: next to everyone), it boils down to, well,  plain http!

Whenever I need to install a secure system, or advise someone on how to do that, I will have to pick something from that list or avoid using a computer altogether. MD5 is truly ridiculous, so I won't go into it (google search will). Https has like I said serious drawbacks that are unfortunately not known by the people using it, and unfortunately are not turned up easily by a web search. I would avoid having to go into details about it unless there is a true genuine need for a security review of https (amongst other reasons because I don't consider myself an expert).

So basically, security comes in levels. Truly secure we have nothing at the moment. Somewhat secure is https and web of trust. Not at all secure is md5 or plain http,  when we are talking about releasiing something to the public.

You don't trust pgp webs of trust, nor https, nor md5 checksums of debian sources.

So, my point is I feel I want to avoid the "not at all secure" category if I can, and was wondering why that kept me from using debian. I thought I had just missed something.

If I didn't, given the number of people choosing debian for "secure" systems, that is troublesome, and more so because if the lax attitude vs verifying the installation media is representative for the whole debian development, than I just want to steer away from it and start telling people to stop using it.

naja melan

Reply to: