Hi Didier,
On Tuesday 08 February 2011 17:06:37 Didier Raboud wrote:
> a current flaw of the standalone version of win32-loader (source and binary
> package in Debian) is that it downloads the d-i kernel and initrds through
> Internet without any form of checking that those are authenticated binaries
> from the Debian project (see #442180 for details).
>
> In order to solve this, the Windows executable needs to check the signature
> on the downloaded Release{,.gpg} file and then check the md5sums of
> various files. The md5sum checksum verification is already implemented
> (although not uploaded yet) with a md5sum implementation internal to NSIS.
> There are still missing pieces on FTP-Master side (see #611087, which will
> get solved in their upcoming meeting, I heard), but I would also need a
> gpgv.exe that could run on the target Windows host, to check the
> downloaded Release{,.gpg} files.I'm not aversive to this plan but I do not completely understand it. You need gpgv.exe on the Windows platform, but you cannot install debs there, right? So what would the role of this deb be exactly? Also I cannot test it. Would you assume responsibility for dealing with potential bug reports for this? Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.

