Re: debcheckroot v2.0 released
Am 24.03.20 um 11:18 schrieb Paul Wise:
On Tue, Mar 24, 2020 at 3:33 AM Paul Wise wrote:
I've forwarded this to the Debian sysadmins IRC channel. I think it is
related to the fact that the cdimage.d.o server is not managed by the
Debian sysadmins, so the UMU ACC admins probably used Lets Encrypt to
get certs, and then of course the TLSA records got outdated after the
renewal. For other debian.org domains that are not managed by the
Debian sysadmins, we centrally create the certs and propagate them to
external services (like the CDNs for deb.d.o). The cdimage.d.o server
isn't a CDN and probably doesn't have cert APIs but we can probably
use the same approach to fix this.
The result was that the mismatch was caused by a bug in the Debian
sysadmin puppet. The fix was to remove the TLSA records for this
domain due to the aforementioned management disconnect. If the cert
management for cdimage.d.o changes to the deb.d.o setup then the TLSA
records will return and be correct.
I hope this is gonna happen anytime soon. DANE and thus a valid TLSA
record is of very high value and importance for getting a genuine
download of Debian. As I have mentioned before downloads via Tor can be
spoofed like my last Debian Live 10 download which turned out to be
infected by debchecheckrooting against the Debian 10 DL-BD.