On Fri, Dec 7, 2018 at 1:16 PM Paul Wise <p...@debian.org> wrote: > > On Fri, Dec 7, 2018 at 6:37 PM Fabiano Fidêncio wrote: > > > So, what I'm looking for is something like: > > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/.treeinfo, > > where the .treeinfo would have something like: > > None of the examples you have linked to or quoted appears to be > OpenPGP signed and some of them are not even available over TLS. I see > some of them do have cryptographic hashes though. Does treeinfo have > any protection against MITM attacks?
I sincerely don't know. But how is it different from accessing the trees nowadays and hard-coding the paths to the kernel and initrd in the apps? For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/ isn't even available over TLS also. So, not saying that we shouldn't care about MITM attacks, just trying to understand how different the policy would be for this one file than it currently is for the rest of the installer tree. In any case, I'm more than happy to hear suggestions from the community on how we could distinguish the installer trees on our side if not using .treeinfo files. Best Regards, -- Fabiano Fidêncio
