hi, I had a look how docker images for 32bit are built. Despite looking very official by their namespace, 32bit/ubuntu and 32bit/debian I found that "32bit" is nothing more than an idividual guy who created an account at docker hub in oct/2010. (https://hub.docker.com/u/32bit/) He created an "organization" at github, everyone can do that easily: https://github.com/docker-32bit. That organization consists of exactly "1 people", him. - lol
In his repository I find the build definition for docker 32bit debian, c.f. https://github.com/docker-32bit/debian/blob/i386/build-image.sh. In there I see he sets up the mirror and pretty much every "deb" reference with "http://"HTTP, not "https://";. From what I have found in Wikis of Debian and Ubuntu, HTTP still seems standard practice in the debian ecosystem. But I wonder how and where the downloaded binaries are verified against any checksums? Even if there is only HTTP for Debootstrap, how can I make sure I received the latest official checksums via HTTPS from trusted channels for those downloaded binaries? Thank you. And a link to where I should have found the "f***ing manual" regarding debianroot security would also be very helpful. Kind regards (simeone not using real identity/email in fear of hackers who exploit such vulnerabilities) ---- Sent using Guerrillamail.com Block or report abuse: https://www.guerrillamail.com//abuse/?a=RUR2DAwODrYahxqU%2FHcMZgeJSc%2BS29ZeiatQew%3D%3D
