[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: A long rant on Debian 9


Cindy-Sue Causey wrote:
> Only thing my poor brain can come up with is integrity of the
> downloaded ISO file.

That would be quite a peculiar transport damage.
On the other hand, malicious alteration would probably avoid such obvious
deviations from usual behavior.

Greg Wooledge wrote:
> The installer can be booted in either Legacy or UEFI mode.  Perhaps
> the menus work differently between those two?

This is more plausible. After all the i386 and amd64 ISOs have two different
bootloaders with own menu configuration files each.
(ISOLINUX on Legacy BIOS, GRUB2 on EFI in non-Legacy mode.)

But i guess that the ISOs got tested with both firmwares at least when
Debian 9 was new.

So progress will probably only be made if some fearless person tries to
replay the situation. (Fearless, because software can smell if you are
out of courage or patience.)

  "Thinkpad x40", "wifi", "Intel ipw2200 hardware"
Implicitely i read "amd64" as architecture of the netinst ISO.

More for the archive than for this thread:

> https://www.debian.org/CD/verify

This should be accompanied by
and some glue text.

I recently wrote an example at

> https://linuxconfig.org/how-to-verify-an-authenticity-of-downloaded-debian-i

This should put more emphasis on comparing the "Primary key fingerprint"
with those listed on

A while ago i read about successful spoofing by keys which claimed to
be from trusted programmers. Cryptography was not involved. Only human

> https://unix.stackexchange.com/questions/138603/how-to-verify-debian-iso-integrity

This is better in the aspect of fingerprints. (I think the "web of trust"
proposal is not possible with the Debian CD keys. But i can be wrong easily.)

Have a nice day :)


Reply to: