On Mon, Jan 3, 2011 at 7:06 PM, Naja Melan wrote:
> I totally agree, but from my position as an end user I can only start by
> raising the issues I can observe because I am confronted with them. I don't
> know the security policies for debian/fedora developers if those even exist
> or whether the
on regarding verification of a debian
> installation iso
> To: Naja Melan
>
>
> On Mon, 2011-01-03 at 19:23 +0100, Naja Melan wrote:
> > If the author of such instructions
> > would be forced to justify say md5, I am quite confident that md5 would
> > instantly be scr
sorry if this is a double post, but i got some mailer-deamon writing to
me... and I think the original did not go to the list.
-- Forwarded message --
From: Robert Tomsick
Date: Mon, Jan 3, 2011 at 7:52 PM
Subject: Re: Fwd: Fwd: question regarding verification of a debian
Thanks for taking this subject serious.
> HTTPS is going to make it harder for man-in-the-middle shenanigans, but
> that is only part of the path "from the developer to the user."
> One also has to consider whether the project's servers have been tampered
> with - which tends to be the much more
-- Forwarded message --
From: Robert Tomsick
Date: Mon, Jan 3, 2011 at 7:52 PM
Subject: Re: Fwd: Fwd: question regarding verification of a debian
installation iso
To: Naja Melan
On Mon, 2011-01-03 at 19:23 +0100, Naja Melan wrote:
> If the author of such instructions
> wo
On Sun, Jan 2, 2011 at 5:24 PM, Naja Melan wrote:
> If we want to seriously speak of security, than we might conceive that at an
> operating system level, amongst many other things, the issue of getting it
> from the developer to the user without it being tampered with on the way is
> quite an im
>
> I have very limited trust in the CAs.
>
So do I. It is actually not the point. Either we consider them useless, in
which case we should refuse to use them and oppose them because they provide
a false sense of security. We should then think of alternatives.
If we consider them still a bit more
On Mon, 2011-01-03 at 08:19 -0800, Ben Pfaff wrote:
> Eduardo M KALINOWSKI writes:
>
> > How much do you trust your USB drive? It could have a malicious
> > controller that detects when the correct Fedora files are written to
> > it, and replaces with hacked copies. And when you try to verify the
Eduardo M KALINOWSKI writes:
> How much do you trust your USB drive? It could have a malicious
> controller that detects when the correct Fedora files are written to
> it, and replaces with hacked copies. And when you try to verify the
> copy, it detects this and returns the SHA1 (or any other ch
On Mon, Jan 03, 2011 at 03:42:42AM +0100, Naja Melan wrote:
> > You've downloaded a bunch of certificates that came with your web browser.
> > Why do you trust them?
> >
>
> As I pointed out above there are many problems associated with https.
> Trusting the root certificates is one of those. Sti
On Seg, 03 Jan 2011, Eduardo M KALINOWSKI wrote:
2. Some linux distro's I see now do have certified https, like fedora which
puts gpg fingerprints (SHA1) of their public keys on their certified
website.
3. Other distros have md5 hashes over certified https, like ubuntu.
(virtually a shared fourth
On Dom, 02 Jan 2011, Naja Melan wrote:
1. Probably the safest thing to do is buy a mac or windows cd in the shop,
although there is (for me) no way of knowing how safe that really is.
Do you trust the store? How do you know the store installed the
pristine copy of Windows or Mac OS, and not a
On Seg, 03 Jan 2011, Naja Melan wrote:
Currently I'm installing fedora, because it seems that that is as good as it
gets with https. Their site is very neat and informative in verifying their
downloads, it all comes over certified https even extra tools like the
liveusb-creator. This gives me at
Thanks for pointing out those servers. On a practical level I don't really
see how it helps though, because I don't see a realistic way of getting the
certificate of SPI onto my computer.
> You've downloaded a bunch of certificates that came with your web browser.
> Why do you trust them?
>
As
On Mon, Jan 03, 2011 at 12:24:16AM +0100, Naja Melan wrote:
> Arto Artinian :
>
> > Hi Naja,
> >
>
> > I am not sure what your point is here? You don't trust pgp webs of trust,
> > nor https, nor md5 checksums of debian sources. I mean, at some point if
> > you want to use software that you di
Arto Artinian :
> Hi Naja,
>
> I am not sure what your point is here? You don't trust pgp webs of trust,
> nor https, nor md5 checksums of debian sources. I mean, at some point if
> you want to use software that you didn't exclusively write and/or audit,
> you're gonna have to implicitly trust
-- Forwarded message --
From: Naja Melan
Date: Sun, Jan 2, 2011 at 10:55 PM
Subject: Re: question regarding verification of a debian installation iso
To: Arthur de Jong
Arthur,
I wholeheartedly agree with everything you write. I also think https has
serious drawbacks. So does
On Sun, 2011-01-02 at 18:56 +0100, Naja Melan wrote:
> Im trying to verify that the debian iso I downloaded has not been
> tampered with by following the following faq entry:
>
> http://www.debian.org/CD/faq/#verify
>
> There are some things I don't understand yet. I have gotten as far as
> downl
On Sun, Jan 02, 2011 at 06:56:06PM +0100, Naja Melan wrote:
> hi,
>
> Im trying to verify that the debian iso I downloaded has not been tampered
> with by following the following faq entry:
>
> http://www.debian.org/CD/faq/#verify
>
> There are some things I don't understand yet. I have gotten a
On 02/01/2011 19:32, Naja Melan wrote:
Then cd to the location of your download and do : md5sum YourDebian.iso.
well preferably one of the other hashing algorithms, since md5
is considered broken
what I have read is that you can "easy" find another DadFile.iso file
with the same YourDebia
>
> Nothing easier than that : Go to the downloadpage where you found the iso,
> there or in a nearby directory (like
> http://cdimage.debian.org/debian-cd/5.0.7/i386/iso-cd/MD5SUMS) can find
> the
> sum for your iso.
> Then cd to the location of your download and do : md5sum YourDebian.iso.
> Tha
hi,
Im trying to verify that the debian iso I downloaded has not been tampered
with by following the following faq entry:
http://www.debian.org/CD/faq/#verify
There are some things I don't understand yet. I have gotten as far as
downloading the checksum files, the iso and the signatures of the c
22 matches
Mail list logo
