On Wed, Jan 14, 2015 at 10:49:01AM +0100, Enos D'Andrea wrote: > Thanks, but I was hoping for a method that would also verify the CD boot > process, and that would not require downloading and installing a second > image or trusting the CD to verify itself.
Bootstrapping trust is always going to be hard no matter what we do and how hard we try. Since releases have been signed (since 5.4) people have been asking for even more verification than they used to ask for. This puzzles me. Before signify the answer to the trust problem was "buy a CD" and most paranoid people went with that. Now the answer has become "buy a CD and cross-check it with signify" and it's still not enough. What's next, should we invite everyone to Theo's house to run a collective install fest from his NFS server? >From the developer point of view it seems to be more a problem of managing expectations rather than a technical one. :-/ Speaking of which: Are you sure you can trust the hardware you're booting this CD on? Is it by chance a laptop that supports Intel vPro? In this case it likely runs SOAP/TLS(OpenSSL)/Kerberos code in firmware and the OS can't make any hard guarantees about the safety of your machine anyway: https://software.intel.com/sites/default/files/71/eb/mngstages.jpg In other words, if you really want to argue trust down to the very last bit the discussion becomes pointless very quickly. It is never going to be perfect.