Hi, while working on my JigdoOnLive wiki page i got pointed by Paul Wise to the fact that the "https:" URLs of cdimage.debian.org files do not really protect their file content against tampering.
I am quite sure that the .jigdo files get not verified by jigdo-lite beyond (possibly) the gzip checksum. There is no entry in the *SUMS files which accompany the .jigdo files at cdimage.debian.org/debian-cd/current/*/jigdo-*/. The files do not even bear an inner checksum to surely protect them against transmission errors (gzip CRC is 32 bit, afaik). Some undesirable aspects: - Manipulated .jidgo and .template file could lure jigdo-lite into letting wget download arbitrary URLs. - The .iso.tmp file could inflate to arbitrary size. - jigdo-lite's affirmative final statement about matching checksum could lure people into omitting the *SUMS/*SUMS.sign verification. If the .jigdo files would be listed in the *SUMS files, then we could at least rely on the "Template Hex MD5Sum" inside .jigdo. Better would be if .template would be listed in *SUMS, too, and if we add a line # Template Hex SHA512Sum ... to the .jigdo file. We should check whether jigdo-lite or jigdo-file really make use of the Template and Image checksums in the .jigdo file. (I suspect that its only MD5, at best.) --- Putting new files into *SUMS would have to be done by debian-cd et.al. The additional SHA512 line in .jigdo would have to done in libjte. I'd volunteer if Steve McIntyre gives his OK to the plan. Auditing of jigdo-lite in respect to checksums is in my reach, too. I will report if i find something especially worrying. But: The more eyes, the better. Have a nice day :) Thomas