Web lists-archives.com

Re: Would be possible to have a ".treeinfo" file added to the installers' page?




On Fri, Dec 7, 2018 at 1:23 PM Fabiano Fidêncio <fabiano@xxxxxxxxxxxx> wrote:
>
> On Fri, Dec 7, 2018 at 1:16 PM Paul Wise <pabs@xxxxxxxxxx> wrote:
> >
> > On Fri, Dec 7, 2018 at 6:37 PM Fabiano Fidêncio wrote:
> >
> > > So, what I'm looking for is something like:
> > > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/.treeinfo,
> > > where the .treeinfo would  have something like:
> >
> > None of the examples you have linked to or quoted appears to be
> > OpenPGP signed and some of them are not even available over TLS. I see
> > some of them do have cryptographic hashes though. Does treeinfo have
> > any protection against MITM attacks?
>
> I sincerely don't know. But how is it different from accessing the
> trees nowadays and hard-coding the paths to the kernel and initrd in
> the apps?
> For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
> isn't even available over TLS also.
>
> So, not saying that we shouldn't care about MITM attacks, just trying
> to understand how different the policy would be for this one file than
> it currently is for the rest of the installer tree.
>
> In any case, I'm more than happy to hear suggestions from the
> community on how we could distinguish the installer trees on our side
> if not using .treeinfo files.

More into this one, please, take a look at
https://release-engineering.github.io/productmd/treeinfo-1.0.html

There it's specified that we could have the checksums to ensure that
the file provided is the one downloaded.
But, again, if someone takes over one of the servers, they can just
change the checksums and provide a different file. Although this
scenario is not related to having or not having a .treeinfo file.

Best Regards,
-- 
Fabiano Fidêncio