Web lists-archives.com

Re: Would be possible to have a ".treeinfo" file added to the installers' page?




On Fri, Dec 7, 2018 at 8:23 PM Fabiano Fidêncio wrote:

> I sincerely don't know. But how is it different from accessing the
> trees nowadays and hard-coding the paths to the kernel and initrd in
> the apps?

Accessing hardcoded URLs (to .treeinfo or other files) isn't a good
idea in case they change.

> For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/
> isn't even available over TLS also.

It is however protected in the same way all of the archive is, using
OpenPGP signatures on the Release files and a hash chain to the files
themselves.

http://ftp.debian.org/debian/dists/stretch/Release
http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS

> So, not saying that we shouldn't care about MITM attacks, just trying
> to understand how different the policy would be for this one file than
> it currently is for the rest of the installer tree.

If a .treeinfo were added for each of the installer directories, I
assume it wouldn't be treated any different to the other files in
those directories.

> In any case, I'm more than happy to hear suggestions from the
> community on how we could distinguish the installer trees on our side
> if not using .treeinfo files.

Personally, until something better exists (such as .treeinfo) I would
be using the apt repository metadata. It seems to contain similar info
to the example treeinfo you quoted anyway.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise