Re: Verification of netboot installer and firmware files
On 09/06/2015 07:14 PM, Paul Wise wrote: > On Sun, Sep 6, 2015 at 10:20 AM, Daniel Reichelt wrote: > >> [1] >> http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ > > ftp://ftp.debian.org/debian/dists/stretch/Release > ftp://ftp.debian.org/debian/dists/stretch/Release.gpg > >> [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/ > > Probably better to use the ISO images that include firmware, these are signed: > > http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/amd64/iso-cd/ > Paul, thanks a lot for the hints. That'll do... Daniel
Verification of netboot installer and firmware files
Hey there I'm wondering if there's a practical way to verify the netboot installer files and firmware archives provided via [1]-[3]. I couldn't find anything similar to the signed (md5|shaX)sum files provided for the ISOs, nor any lines in the official installation guide about verification. Am I missing s.th.? Looking forward to suggestions! If I'm really the first one to bring this up: IMHO the simplest solution would be to gpg-sign the hash lists under [1]/[2] and provide signed hash lists for [3] as well. Thanks Daniel [1] http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ [2] http://d-i.debian.org/daily-images/amd64/daily/ [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/
Re: Verification of netboot installer and firmware files
On Sun, Sep 06, 2015 at 10:20:04AM +0200, Daniel Reichelt wrote: > Hey there > > I'm wondering if there's a practical way to verify the netboot installer files > and firmware archives provided via [1]-[3]. I couldn't find anything similar > to > the signed (md5|shaX)sum files provided for the ISOs, nor any lines in the > official installation guide about verification. > Folk are aware of this: in other threads on other mailing lists, they're discussing the things needed to harden/verify repositories and downloads. The next iteration of Apt does bring significant enhancements for some of those steps http://wiki.debian.org/Hardening/RepoAndImages may also help - people are aware :) > Am I missing s.th.? Looking forward to suggestions! > > > If I'm really the first one to bring this up: IMHO the simplest solution would > be to gpg-sign the hash lists under [1]/[2] and provide signed hash lists for > [3] as well. > > Not the first All the best, AndyC > > Thanks > > Daniel > > > [1] > http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ > [2] http://d-i.debian.org/daily-images/amd64/daily/ > [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/
Re: Verification of netboot installer and firmware files
On Sun, Sep 6, 2015 at 10:20 AM, Daniel Reichelt wrote: > [1] > http://ftp.nl.debian.org/debian/dists/stretch/main/installer-amd64/current/images/ ftp://ftp.debian.org/debian/dists/stretch/Release ftp://ftp.debian.org/debian/dists/stretch/Release.gpg > [3] http://cdimage.debian.org/cdimage/unofficial/non-free/firmware/ Probably better to use the ISO images that include firmware, these are signed: http://cdimage.debian.org/cdimage/unofficial/non-free/cd-including-firmware/current/amd64/iso-cd/ -- bye, pabs https://wiki.debian.org/PaulWise
