:: [DNG] How to guarantee authenticity…
Top Page
Delete this message
Reply to this message
Author: David Kuehling
Date:  
To: dng
Subject: [DNG] How to guarantee authenticity of Devuan installer downloads?
Hi,

after the recent Mint ISO hack [1], I wonder how secure the Devuan
installer download scheme actually is. The Devuan installer download
page [2] uses plain unencrypted HTML [2]. It does supply sha256
checksums, but these are also provided via unencrypted HTML only. No
GPG signatures or nothing that could provide an independent source for
evaluating authenticity.

Now if I downloaded Devuan from within Cina or Iran or Syria or any
company targeted by the NSA [3], how could I ensure that I still
received a non-tampered with .ISO file?

What about making the download page HTTPS-only (letsencrypt.org?)?

cheers,

David

[1] http://blog.linuxmint.com/?p=2994
[2] http://files.devuan.org/
[3] https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
--
GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg
Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F