:: [DNG] How to guarantee authenticity…
Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M\ 
MMDavid Kuehling at ->
Delete this message
Reply to this message
Author: David Kuehling
Date:  
To: dng
Subject: [DNG] How to guarantee authenticity of Devuan installer downloads?
Hi,

after the recent Mint ISO hack [1], I wonder how secure the Devuan
installer download scheme actually is. The Devuan installer download
page [2] uses plain unencrypted HTML [2]. It does supply sha256
checksums, but these are also provided via unencrypted HTML only. No
GPG signatures or nothing that could provide an independent source for
evaluating authenticity.

Now if I downloaded Devuan from within Cina or Iran or Syria or any
company targeted by the NSA [3], how could I ensure that I still
received a non-tampered with .ISO file?

What about making the download page HTTPS-only (letsencrypt.org?)?

cheers,

David

[1] http://blog.linuxmint.com/?p=2994
[2] http://files.devuan.org/
[3] https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html
--
GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg
Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F

This message was posted to the following mailing lists:
dng
Mailing List Info | Nearby Messages		<-Re: [DNG] Enlightenment anyone? ;)Re: [DNG] Debian archives (Was:systemd==bad)->

Donate to Dyne.org

dyne.org open discussions
administrated by dyne.org hackers		Lurker (version 2.3)