On Thu, Feb 01, 2018 at 02:33:25PM +0000, Sam Overton wrote:
>Hi,
>
>I'm trying to download a copy of vmlinuz and initrd.gz from
>
>${MIRROR}/debian/dists/stretch/main/installer-amd64/current/images/hd-media/
>
>All Debian mirrors appear to be HTTP only, and since these files are not deb
>packages, there is no GPG signing of the files. The mirror contains checksums,
>but these are also served over insecure HTTP.
>
>What is the secure way to download and verify these files?
The file ${MIRROR}/debian/dists/stretch/Release has checksums for
main/installer-amd64/current/images/MD5SUMS, and there is a signature
in Release.gpg.
--
Steve McIntyre, Cambridge, UK. st...@einval.com
< sladen> I actually stayed in a hotel and arrived to find a post-it
note stuck to the mini-bar saying "Paul: This fridge and
fittings are the correct way around and do not need altering"
