Subject: jigdo-lite: Final statement about verified ISO is too affirmative Package: jigdo-file Severity: normal Tags: upstream
Dear Maintainer, as described in https://lists.debian.org/debian-cd/2018/01/msg00021.html jigdo-file verifies the .template file and the resulting ISO image only by MD5 checksums which stem from the .jigdo or from the .template file. The .jigdo file is not verified at all. Both issues have own bug reports (#887831 and #887830). This one proposes a preliminary fix by simply telling the user that it's not safe yet. The final message after the MD5 check of the finished ISO image is overly affirmative: "OK: Checksums match, image is good!" It stems from jigdo-file and it might be used by automated callers of jigdo-lite as indication of successful download. But after this message, jigdo-lite could point to the advised verification by GPG and a more secure checksum type like SHA512. Have a nice day :) Thomas