Should not .jigdo files be in SHA512SUMS ?
Hi, while working on my JigdoOnLive wiki page i got pointed by Paul Wise to the fact that the "https:" URLs of cdimage.debian.org files do not really protect their file content against tampering. I am quite sure that the .jigdo files get not verified by jigdo-lite beyond (possibly) the gzip checksum. There is no entry in the *SUMS files which accompany the .jigdo files at cdimage.debian.org/debian-cd/current/*/jigdo-*/. The files do not even bear an inner checksum to surely protect them against transmission errors (gzip CRC is 32 bit, afaik). Some undesirable aspects: - Manipulated .jidgo and .template file could lure jigdo-lite into letting wget download arbitrary URLs. - The .iso.tmp file could inflate to arbitrary size. - jigdo-lite's affirmative final statement about matching checksum could lure people into omitting the *SUMS/*SUMS.sign verification. If the .jigdo files would be listed in the *SUMS files, then we could at least rely on the "Template Hex MD5Sum" inside .jigdo. Better would be if .template would be listed in *SUMS, too, and if we add a line # Template Hex SHA512Sum ... to the .jigdo file. We should check whether jigdo-lite or jigdo-file really make use of the Template and Image checksums in the .jigdo file. (I suspect that its only MD5, at best.) --- Putting new files into *SUMS would have to be done by debian-cd et.al. The additional SHA512 line in .jigdo would have to done in libjte. I'd volunteer if Steve McIntyre gives his OK to the plan. Auditing of jigdo-lite in respect to checksums is in my reach, too. I will report if i find something especially worrying. But: The more eyes, the better. Have a nice day :) Thomas
Bug#846006: debian-cd: please provide flavor/spin netinst image for Debian Edu
version: 1.944 On Sun, Nov 27, 2016 at 06:00:00PM +0100, Holger Levsen wrote: > Package: debian-cd > [...] please provide a flavor/spin > netinst image with debian-edu-profile-udeb installed. #846003 has the > implementation details, this bug is for tracking installable media with > debian-edu-profile enabled. > > This probably needs a boot menu entry with > preseed/early_command="anna-install debian-edu-profile-udeb" > > Please note that in the past Debian Edu enabled and used non-free by > default. This is *not* the case anymore today! Today, we have non-free > (and contrib) enabled, but we dont install any packages from there. > #474745 is the bug for tracking that we will also stop doing that. Once > this bug has a number, I will make it blocked by #474745. since debian-edu-config 1.944 (which is in Buster since two days) we don't enable non-free+contrib anymore, so there should be nothing blocking official Debian images which can install Debian Edu anymore. We just need a boot menu entry as described aboveā¦ Steve, please let us know if you need anything else from us?! -- cheers, Holger signature.asc Description: PGP signature
