Hi,
isn't it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS) ENCRYPTED connection ? !!! (from the primary domain/server "debian.org" or "www.debian.org" website) ! do you not notice it !!! ? or who forced you to implement+maintain such WEAK security system ?!
in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable HKPS based GPG KeyServer, or (1b) Allow Single GPG PUBKEY File Download (which is including all file-signing pubkeys), Over (HTTPS) ENCRYPTED CONNECTION. And (2) display CD/DVD ISO-file's HASH/CheckSUMS INTEGRITY codes/files (over HTTPS webpage) under that "CD" folder for last+stable debian release, (and also allow HTTPS based sig/sign file, "*.bittorrent" index-file download).
in the https://keyring.debian.org/ webpage also show this, example command-line:
gpg2 —keyserver hkps://keyring.debian.org:443 —recv-keys 0x42468F4009EA8AC3
If above steps are done, then very-large sized (few GIGABYTES sized) ISO-file's can be delivered to users, or users can obtain, over non-encrypted HTTP or FTP etc connection. In fact, all users should be forced to download ISO file over HTTP non-encrypted connection (by using url-redircting in web-server side), WHEN INTEGRITY & PUBKEY is downloadable over (HTTPS/HKPS) ENCRYPTED CONNECTION.
CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS INTEGRITY FILES (all of these files are very very TINY SIZED FILES (few KILOBYTES only), compared to the VERY large-sized main file, the ISO files). So AT-LEAST sig/sign file + Sums/Hash code files, need to be shared with all users (from "https://cdimage.debian.org" or https://www.debian.org/CD/ website) over HTTPS encrypted connection/transfer. Currently the "cdimage.debian.org" sub-domain server does not support HTTPS connections & none of the tiny files are downloadable over HTTPS/HKPS ENCRYPTED connection !!! if those tiny files are downlaodable over HTTPS encrypted connection, then users can match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted connection) from SUMS/hash integrity file, with the calculated hash code of the downloaded ISO file, (or by using a GPG tool, user can verify the authenticity of downloaded ISO file, by using securely downloaded signature file).
since "Debian.org" website is now already DNSSEC signed by it's own developers :) and website's used TLS/SSL cert is also defined+declared in TLSA/DANE dns record :) so all HTTPS webpage INFO from primary website ("https://www.debian.org/") are already (SSL/TLS CA, and, DANE DNSSEC), double channel (aka, double TA) verified. Users can very easily see indication (for free or almost at no-cost) of this double-verification, if they use https://www.dnssec-validator.cz/ addon in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full dnssec supported dns-resolver, (like "unbound" from https://www.unbound.net/ is used).
please MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN THAT "verify" WEBPAGE, so that all users+people can know there are OTHER existing & alternative & trustworthy ways, to verify/authenticate, And "debian.org" website & it's devs have already implemented+using them. Unless you mention about "DNSSEC" in that "verify" webpage, how else would people know about using this alternative ? !!! don't assume every1 is traveling around the world & meeting correct people all the time, & know all kinds of (correct) ways.
please allow your/debian users to enjoy & utilize this double-verification, for getting tiny file-integrity (sums/hash) code files, over HTTPS based encrypted connection from a DNSSEC signed & DANE authenticated website.
Please fix these issues, and update your website. Thank you.
I'm also posting, a similar (not exactly same) request, in Debian-CD Mailing-list, as it requires attention from packagers & devs working on CDs/DVDs, to place & show the integrity-files into primary domain (along with showing in "cdimage" subdomain). Also posting a similar (not exactly same) request in Debian-www Mailing-list, as it requires them to update SSL cert for the "keyring" & "cdimage" subdomain & update the "verify" webpage. Keeping Debian-Security Mailing-list discussion in detail, here, as it involves Debian installer & related file's integrity & Debian webserver's data TRANSFER security.
-- Erik.