Re: Verification of netboot installer and firmware files
On Sun, Sep 06, 2015 at 10:20:04AM +0200, Daniel Reichelt wrote:
> Hey there
> I'm wondering if there's a practical way to verify the netboot installer files
> and firmware archives provided via -. I couldn't find anything similar to
> the signed (md5|shaX)sum files provided for the ISOs, nor any lines in the
> official installation guide about verification.
Folk are aware of this: in other threads on other mailing lists, they're discussing the
things needed to harden/verify repositories and downloads.
The next iteration of Apt does bring significant enhancements for some of those steps
http://wiki.debian.org/Hardening/RepoAndImages may also help - people are aware :)
> Am I missing s.th.? Looking forward to suggestions!
> If I'm really the first one to bring this up: IMHO the simplest solution would
> be to gpg-sign the hash lists under / and provide signed hash lists for
>  as well.
Not the first
All the best,
>  http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/
>  http://d-i.debian.org/daily-images/amd64/daily/
>  http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/