[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Debian Users Can't Download CD's Integrity/Sign or file-Signing PubKey, Over HTTPS/HKPS Encrypted Connection


isn't it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS) ENCRYPTED connection ? !!! (from the primary domain/server "debian.org" or "www.debian.org" website) !  do you not notice it !!! ?  or who forced you to implement+maintain such WEAK security system ?!

in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable HKPS based GPG KeyServer, or (1b) Allow Single GPG PUBKEY File Download (which is including all file-signing pubkeys), Over (HTTPS) ENCRYPTED CONNECTION.  And (2) display CD/DVD ISO-file's HASH/CheckSUMS INTEGRITY codes/files (over HTTPS webpage) under that "CD" folder for last+stable debian release, (and also allow HTTPS based sig/sign file, "*.bittorrent" index-file download).

in the https://keyring.debian.org/ webpage also show this, example command-line:
gpg2 —keyserver hkps://keyring.debian.org:443 —recv-keys 0x42468F4009EA8AC3

If above steps are done, then very-large sized (few GIGABYTES sized) ISO-file's can be delivered to users, or users can obtain, over non-encrypted HTTP or FTP etc connection.  In fact, all users should be forced to download ISO file over HTTP non-encrypted connection (by using url-redircting in web-server side), WHEN INTEGRITY & PUBKEY is downloadable over (HTTPS/HKPS) ENCRYPTED CONNECTION.

CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS INTEGRITY FILES (all of these files are very very TINY SIZED FILES (few KILOBYTES only), compared to the VERY large-sized main file, the ISO files).  So AT-LEAST sig/sign file + Sums/Hash code files, need to be shared with all users (from "https://cdimage.debian.org" or https://www.debian.org/CD/ website) over HTTPS encrypted connection/transfer. Currently the "cdimage.debian.org" sub-domain server does not support HTTPS connections & none of the tiny files are downloadable over HTTPS/HKPS ENCRYPTED connection !!!  if those tiny files are downlaodable over HTTPS encrypted connection, then users can match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted connection) from SUMS/hash integrity file, with the calculated hash code of the downloaded ISO file, (or by using a GPG tool, user can verify the authenticity of downloaded ISO file, by using securely downloaded signature file).

since "Debian.org" website is now already DNSSEC signed by it's own developers :)  and website's used TLS/SSL cert is also defined+declared in TLSA/DANE dns record :)  so all HTTPS webpage INFO from primary website ("https://www.debian.org/") are already (SSL/TLS CA, and, DANE DNSSEC), double channel (aka, double TA) verified.  Users can very easily see indication (for free or almost at no-cost) of this double-verification, if they use https://www.dnssec-validator.cz/ addon in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full dnssec supported dns-resolver, (like "unbound" from https://www.unbound.net/ is used).

please MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN THAT "verify" WEBPAGE, so that all users+people can know there are OTHER existing & alternative & trustworthy ways, to verify/authenticate,  And "debian.org" website & it's devs have already implemented+using them.   Unless you mention about "DNSSEC" in that "verify" webpage, how else would people know about using this alternative ? !!!  don't assume every1 is traveling around the world & meeting correct people all the time, & know all kinds of (correct) ways.

please allow your/debian users to enjoy & utilize this double-verification, for getting tiny file-integrity (sums/hash) code files, over HTTPS based encrypted connection from a DNSSEC signed & DANE authenticated website.

Please fix these issues, and update your website. Thank you.

I'm also posting, a similar (not exactly same) request, in Debian-CD Mailing-list, as it requires attention from packagers & devs working on CDs/DVDs, to place & show the integrity-files into primary domain (along with showing in "cdimage" subdomain).  Also posting a similar (not exactly same) request in Debian-www Mailing-list, as it requires them to update SSL cert for the "keyring" & "cdimage" subdomain & update the "verify" webpage.  Keeping Debian-Security Mailing-list discussion in detail, here, as it involves Debian installer & related file's integrity & Debian webserver's data TRANSFER security.

-- Erik.

Reply to: