Re: Debian mirrors and MITM
On May 30, 2014, at 9:30 AM, Alfie John <firstname.lastname@example.org> wrote:
> On Fri, May 30, 2014, at 11:27 PM, Michael Stone wrote:
>> On Fri, May 30, 2014 at 09:24:47AM -0400, Michael Stone wrote:
>>> That's why you verify the initial install media per the link I posted
>> Oh, and those key fingerprints are on an https page for those who
>> actually trust the CA system.
> That was my next question. If the fingerprints are on a HTTPS served
> page, then yes that seems like a valid solution.
> And thanks Reid Sutherland for telling me I have no clue. Much
In your private response to me, you didn’t.
The whole point here is that Debian is already verifying the content it is receiving from any given data source. This was done from the very beginning because anyone can mirror and distribute Debian software. So unless there is a flaw with libc and libgpg, we are safe for downloading the public Debian content from anywhere.