On Fri, Dec 7, 2018 at 8:23 PM Fabiano Fidêncio wrote: > I sincerely don't know. But how is it different from accessing the > trees nowadays and hard-coding the paths to the kernel and initrd in > the apps?
Accessing hardcoded URLs (to .treeinfo or other files) isn't a good idea in case they change. > For instance, http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/ > isn't even available over TLS also. It is however protected in the same way all of the archive is, using OpenPGP signatures on the Release files and a hash chain to the files themselves. http://ftp.debian.org/debian/dists/stretch/Release http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS > So, not saying that we shouldn't care about MITM attacks, just trying > to understand how different the policy would be for this one file than > it currently is for the rest of the installer tree. If a .treeinfo were added for each of the installer directories, I assume it wouldn't be treated any different to the other files in those directories. > In any case, I'm more than happy to hear suggestions from the > community on how we could distinguish the installer trees on our side > if not using .treeinfo files. Personally, until something better exists (such as .treeinfo) I would be using the apt repository metadata. It seems to contain similar info to the example treeinfo you quoted anyway. -- bye, pabs https://wiki.debian.org/PaulWise
