>>>>> "Daniel" == Daniel Reurich <daniel@???> writes:
[..]
>> Now if I downloaded Devuan from within Cina or Iran or Syria or any
>> company targeted by the NSA [3], how could I ensure that I still
>> received a non-tampered with .ISO file?
>>
>> What about making the download page HTTPS-only (letsencrypt.org?)?
>>
> HTTPS is no guarantee either unless it's using DNSSEC and DANE. But I
> agree files.devuan.org should be https, and we should also have a site
> on the tor network as well.

At least an attack via MITM on SSL using hacked certs would be
detectable by SSL observatory etc. und thus could not be used on a large
scale.

> With regards to verification you can get the pgp checksums from
> packages.devuan.org/<release>/InRelease file which is itself pgp
> signed using Devuans PGP key which can be obtained from the keyserver
> network which is also accessible via tor using parcimonie. No
> guarantees but much harder to fake all that.

Unfortunately, that doesn't help me, if I already got a root-kit with
the initial netinstaller ISO :/ . Could you publish detached .pgp
signatures or pgp-signed shasums for the ISOs, too?

cheers,

David
--
GnuPG public key: http://dvdkhlng.users.sourceforge.net/dk2.gpg
Fingerprint: B63B 6AF2 4EEB F033 46F7 7F1D 935E 6F08 E457 205F