[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#722906: marked as done (Document additional methods for validating Debian-distributed files)

Your message dated Fri, 20 Oct 2023 22:03:37 +0200
with message-id <25906.56601.972856.636111@cs.uni-koeln.de>
and subject line closing
has caused the Debian Bug report #818367,
regarding Document additional methods for validating Debian-distributed files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
818367: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818367
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: www.debian.org
Severity: important

The Debian website provides no reasonable way of verifying downloads in
absence of a solid web of trust. The checksums, keys and their
fingerprints aren't served over HTTPS, with the exception of
https://ftp-master.debian.org/keys.html but the chain of trust in that
case is unreasonably difficult to establish for the purpose of checking
CD images or other downloads.

Furthermore, http://www.debian.org/CD/verify encourages insecure ways of
checking fingerprints, which are posted on a plain HTTP page. There's
also no mention of ftp-master and how to use the archive keys to
establish a chain of trust.

It would be fair to expect a large proportion of users cannot or will
not be able to establish such a web of trust, especially if they're new
users. No matter how bad it is, the CA system is still better than
nothing and pretty much the only option for a lot of people, so for the
purpose of verifying an image and bootstrapping a chain of trust it
should do.

I suggest hosting all CD image checksums on an official HTTPS page and
updating http://www.debian.org/CD/verify accordingly. This makes it
really easy to check downloads, bootstraps the chain of trust with the
keys in the image and prevent minimally security-conscious users from
doing an insecure verfication or skipping it altogether. Furthermore,
it's *very* cheap.

In addition to that, consider hosting all keys or at least their
fingerprints on a HTTPS page. This can be an alternative to what I
suggested above regarding checksums, but I'd advise against doing only
that considering a lot of users just aren't familiar with PGP.

P.S: On a side note, I recently examined that aspect for a few other
major distros. Turns out Ubuntu also gets it wrong (not to mention they
still opt for MD5 checksums). Fedora and Gentoo do provide verifiable
keys/checksums (although in Gentoo's case official advice could be
better):

https://fedoraproject.org/verify
https://www.gentoo.org/proj/en/releng/

--- End Message ---
--- Begin Message --- 
We provide the links to the full keys on this page.
Therefore closing.
-- 
regards Thomas

--- End Message ---
Reply to: