Hi,
isn't
it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY
hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO
file, or the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS)
ENCRYPTED connection ? !!! (from the primary domain/server "debian.org"
or "www.debian.org" website, or from "keyring.debian.org") ! do you not notice it !!! ?
in
https://www.debian.org/CD/verify webpage: (1a) please Show+Enable HTTPS based link to "keyring.debian.org" subdomain keyserver, and enable HKPS
based GPG KeyServer & display correct HKPS based link on "keyring.debian.org" webpage, or (1b) Allow Single GPG PUBKEY File Download
(which is including all file-signing pubkeys), Over (HTTPS) ENCRYPTED
CONNECTION, from that "verify" webpage. And (2) display CD/DVD ISO-file's HASH/CheckSUMS INTEGRITY
codes/files (and "SIGN" & "Signature"" files) over HTTPS webpage, under that "debian.org/CD/" sub-folder for last+stable
debian release, (and also allow HTTPS based "*.bittorrent" index-file download).
in the https://keyring.debian.org/ webpage, also show this, example command-line:
gpg2 —keyserver hkps://keyring.debian.org:443 —recv-keys 0x42468F4009EA8AC3
If
above steps are done, only then very-large sized (few GIGABYTES sized)
ISO-file's can be delivered to users, or users can obtain, over
non-encrypted HTTP or FTP etc open & non-encrypted connection. In fact, all users should be
forced to download large-sized ISO CD/DVD files over HTTP based Non-Encrypted connection (by using
URL-REDIRECTING mechanism in "cdimage.debian.org" subdomain web-server side), ONLY WHEN INTEGRITY CODEs, SIGN Codes & GPG/PGP PUBKEY etc TINY files are
downloadable over direct (HTTPS/HKPS) ENCRYPTED & VERIFIED CONNECTION. But now you've kept all files over HTTP ! :( none of the TINY integrity files are downloadable over HTTTPS ENCRYPTED connection/TRANSFER !!! :(
CD/DVD
image ISO file's GPG-SIGNATURE (sig) FILE or SHAnnnSUMS INTEGRITY
FILES (or FILE-SIGNING GPG Pubkey file, or file's integrity/hash code SIGNING "SIGN" file) etc, all of these files are very very TINY SIZED FILES (few KILOBYTES
only), compared to the VERY large (gigabytes) sized main file, the ISO CD/DVD image files). So
AT-LEAST sig/sign file + Sums/Hash integrity code files, need to be shared with
all users (from "https://cdimage.debian.org" or
https://www.debian.org/CD/ website) over HTTPS Encrypted
connection/transfer. Currently the "cdimage.debian.org" sub-domain
server does not support HTTPS connections & so none of the tiny files
are downloadable over HTTPS ENCRYPTED connection !!!
if those tiny
files are downlaodable over HTTPS encrypted connection, then users can
match/compare, "codes" obtained (over secure HTTPS/HKPS Encrypted
connection) from SUMS/hash integrity file, with the calculated hash code
of the downloaded ISO file, (or by using a GPG tool, user can verify
the authenticity of downloaded ISO file, by using securely downloaded
signature file).
since
"Debian.org" website is now already DNSSEC signed by it's own
developers :) and website's used TLS/SSL cert is also defined+declared
in TLSA/DANE dns record :) so all HTTPS webpage INFO from primary
website ("https://www.debian.org/") are already (SSL/TLS CA, and, DANE
DNSSEC), double channel (aka, double TA) verified. Users can very
easily see indication (for free or almost at no-cost) of this
double-verification, if they use https://www.dnssec-validator.cz/ addon
in (firefox/IE/safari/chrome) web-browser, etc, AND, if a local full
dnssec supported dns-resolver, (like "unbound" from
https://www.unbound.net/ is used).
please
MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN
THAT primary domain "verify" WEBPAGE, so that all users+people can know there are OTHER
existing & alternative & trustworthy ways, to
verify/authenticate, And "debian.org" website & it's Devs have
already implemented+using them. Unless you mention about "DNSSEC" in
that "verify" webpage, how else would people/users know about using this
alternative ? !!! don't assume every1 is traveling around the world
& meeting correct people all the time, & know all kinds of
(correct or alternative) ways.
please
allow your/debian users to enjoy & utilize this
double-verification, for getting tiny file-integrity (sums/hash) code
files, over HTTPS based encrypted connection from a DNSSEC signed &
DANE authenticated website.
Please fix these issues, and update your website. Thank you.
I'm
also posting, a similar (not exactly same) request, in Debian-CD
Mailing-list, as it requires attention from packagers & devs working
on CDs/DVDs, to place & show the integrity-files into primary
domain (along with showing in "cdimage" subdomain). Also posting a
similar (not exactly same) request in Debian-www Mailing-list, as it
requires them to update SSL cert for the "keyring" & "cdimage"
subdomain & update the "verify" webpage. Keeping Debian-Security
Mailing-list discussion in detail, here, as it involves Debian installer
& related file's integrity & Debian webserver's data TRANSFER
security.