Thanks, but if you will notice, I have that link already listed at the bottom of my message.
Also, you should not respond directly to people unless they specifically ask you to do so. I did not ask. On Wed, Jul 9, 2014 at 11:52 PM, Reid Sutherland <r...@vianet.ca> wrote: > https://www.debian.org/ > > Go to CD ISO Images, then Verify. > > > > On Jul 10, 2014, at 12:24 AM, Kitty Cat <realizar.la....@gmail.com> wrote: > > > Thanks. > > > > I'm new here. I was not on this list then. However, I just read the > thread: > > > > https://lists.debian.org/debian-security/2011/01/msg00002.html > > > > I saw that some of my concerns were mentioned there about obtaining and > verifying installation media, MITM attacks, etc. > > > > I have previously verified installation media via the methods described > in the FAQ, downloading GPG keys, etc. and still > > had an issue of having aptitude telling me that all available packages > are from untrusted sources. (This was some years > > ago when I had this issue) > > > > I seem to remember being offered security updates for the kernel, > OpenSSL, SSH, etc. where my only option was to download > > untrusted packages. I would get warning messages from aptitude about > installing security updates. > > > > Maybe there should be written a document that describes in detail in > easy to understand language what steps to take to > > verify keys and verify that apt has not been compromised in an already > installed system. And also verifying that GPG has not > > been compromised. > > > > It is the job of the NSA to be able to compromise systems. We should > make that task as difficult as possible at every level > > and also be able to easily verify that our system has not been corrupted. > > > > I think having a good guide to checking your installed Debian system > would be of use. Particularly useful would be instructions > > to check to see if your system has been compromised by validating all > already installed packages. MS Windows has an option > > to check installed Windows components. > > > > > > Some relevant links that I have previously discovered: > > > > https://wiki.debian.org/Keysigning > > https://wiki.debian.org/Keysigning/Coordination > > http://www.debian.org/CD/verify > > http://www.debian.org/CD/faq/#verify > > > > > > On Wed, Jul 9, 2014 at 8:11 PM, Michael Stone <mst...@debian.org> wrote: > > On Wed, Jul 09, 2014 at 06:29:09PM -0600, Kitty Cat wrote: > > For years I have been concerned with MITM attacks on Debian mirrors. > > > > We discussed this literally within the past couple of months on this > list, at length. Have you read the archives, including the posts about how > to establish a trust path to the ISOs? > > > > Mike Stone > > > > > > > > -- > > To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org > > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > > Archive: https://lists.debian.org/20140710021124.ga27...@mathom.us > > > > > >
