https://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/
Am 12.07.2016 um 04:06 schrieb [email protected]: > Hi, > > isn't it amazing & SAD that currently DEBIAN USERs CANNOT OBTAIN ANY > hash/integrity CODE/file, or signature/sign code/file for CD-DVD ISO file, or > the file-signing GPG pubkey file, OVER/THRU a (HTTPS/HKPS) ENCRYPTED > connection ? !!! (from the primary domain/server "debian.org" or > "www.debian.org" website) ! do you not notice it !!! ? or who forced you to > implement+maintain such WEAK security system ?! > > in https://www.debian.org/CD/verify webpage: (1a) please Show+Enable HKPS > based GPG KeyServer, or (1b) Allow Single GPG PUBKEY File Download (which is > including all file-signing pubkeys), Over (HTTPS) ENCRYPTED CONNECTION. And > (2) display CD/DVD ISO-file's HASH/CheckSUMS INTEGRITY codes/files (over > HTTPS webpage) under that "CD" folder for last+stable debian release, (and > also allow HTTPS based sig/sign file, "*.bittorrent" index-file download). > > in the https://keyring.debian.org/ webpage also show this, example > command-line: > gpg2 —keyserver hkps://keyring.debian.org:443 —recv-keys 0x42468F4009EA8AC3 > > If above steps are done, then very-large sized (few GIGABYTES sized) > ISO-file's can be delivered to users, or users can obtain, over non-encrypted > HTTP or FTP etc connection. In fact, all users should be forced to download > ISO file over HTTP non-encrypted connection (by using url-redircting in > web-server side), WHEN INTEGRITY & PUBKEY is downloadable over (HTTPS/HKPS) > ENCRYPTED CONNECTION. > > CD/DVD image ISO file's GPG-SIGNATURE (sig/sign) FILE or SHAnnnSUMS INTEGRITY > FILES (all of these files are very very TINY SIZED FILES (few KILOBYTES > only), compared to the VERY large-sized main file, the ISO files). So > AT-LEAST sig/sign file + Sums/Hash code files, need to be shared with all > users (from "https://cdimage.debian.org"; or https://www.debian.org/CD/ > website) over HTTPS encrypted connection/transfer. Currently the > "cdimage.debian.org" sub-domain server does not support HTTPS connections & > none of the tiny files are downloadable over HTTPS/HKPS ENCRYPTED connection > !!! if those tiny files are downlaodable over HTTPS encrypted connection, > then users can match/compare, "codes" obtained (over secure HTTPS/HKPS > Encrypted connection) from SUMS/hash integrity file, with the calculated hash > code of the downloaded ISO file, (or by using a GPG tool, user can verify the > authenticity of downloaded ISO file, by using securely downloaded signature > file). > > since "Debian.org" website is now already DNSSEC signed by it's own > developers :) and website's used TLS/SSL cert is also defined+declared in > TLSA/DANE dns record :) so all HTTPS webpage INFO from primary website > ("https://www.debian.org/";) are already (SSL/TLS CA, and, DANE DNSSEC), > double channel (aka, double TA) verified. Users can very easily see > indication (for free or almost at no-cost) of this double-verification, if > they use https://www.dnssec-validator.cz/ addon in (firefox/IE/safari/chrome) > web-browser, etc, AND, if a local full dnssec supported dns-resolver, (like > "unbound" from https://www.unbound.net/ is used). > > please MENTION about these two or similar (DNSSEC-Validator, Unbound) APP, IN > THAT "verify" WEBPAGE, so that all users+people can know there are OTHER > existing & alternative & trustworthy ways, to verify/authenticate, And > "debian.org" website & it's devs have already implemented+using them. > Unless you mention about "DNSSEC" in that "verify" webpage, how else would > people know about using this alternative ? !!! don't assume every1 is > traveling around the world & meeting correct people all the time, & know all > kinds of (correct) ways. > > please allow your/debian users to enjoy & utilize this double-verification, > for getting tiny file-integrity (sums/hash) code files, over HTTPS based > encrypted connection from a DNSSEC signed & DANE authenticated website. > > Please fix these issues, and update your website. Thank you. > > I'm also posting, a similar (not exactly same) request, in Debian-CD > Mailing-list, as it requires attention from packagers & devs working on > CDs/DVDs, to place & show the integrity-files into primary domain (along with > showing in "cdimage" subdomain). Also posting a similar (not exactly same) > request in Debian-www Mailing-list, as it requires them to update SSL cert > for the "keyring" & "cdimage" subdomain & update the "verify" webpage. > Keeping Debian-Security Mailing-list discussion in detail, here, as it > involves Debian installer & related file's integrity & Debian webserver's > data TRANSFER security. > > -- Erik. >
