On 25/02/16 00:55, David Kuehling wrote:
>>>>>> "Daniel" == Daniel Reurich <daniel@???> writes:
> [..]
>>> Now if I downloaded Devuan from within Cina or Iran or Syria or any
>>> company targeted by the NSA [3], how could I ensure that I still
>>> received a non-tampered with .ISO file?
>>>
>>> What about making the download page HTTPS-only (letsencrypt.org?)?
>>>
>> HTTPS is no guarantee either unless it's using DNSSEC and DANE. But I
>> agree files.devuan.org should be https, and we should also have a site
>> on the tor network as well.
>
> At least an attack via MITM on SSL using hacked certs would be
> detectable by SSL observatory etc. und thus could not be used on a large
> scale.
>
>> With regards to verification you can get the pgp checksums from
>> packages.devuan.org/<release>/InRelease file which is itself pgp
>> signed using Devuans PGP key which can be obtained from the keyserver
>> network which is also accessible via tor using parcimonie. No
>> guarantees but much harder to fake all that.
>
> Unfortunately, that doesn't help me, if I already got a root-kit with
> the initial netinstaller ISO :/ . Could you publish detached .pgp
> signatures or pgp-signed shasums for the ISOs, too?

The InRelease file from your mirror or packages.devuan.org is signed by
the Devuan keyring and verifies its the contents is untampered with.
That file contains all the shasums for the SHA356SUMS file in each
folder in the dists part of the repo, thus you have the detached but
independently verifiable way to the shasum for the netinstaller.iso to
verify it.

--
Daniel Reurich
Centurion Computer Technology (2005) Ltd.
021 797 722