debian-installer images aren't signed in the archive
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
Binary package hint: debian-installer
Hi
debian-installer images, for instance netboot images, can be downloaded for karmic/armel at:
http://
but these aren't signed by any gpg key anywhere (that I could find).
(This is also an issue in Debian.)
There are already MANIFEST and MD5SUMS files; I think we could create an "Index" file which would have file names as in the MANIFEST list combined with Sha1:, Sha256: and Md5sums:, perhaps something like http://
Debian has some Index files in http://
Does this look like a good plan? Any security issue with this approach?
Bye,
Changed in soyuz: | |
status: | New → Triaged |
importance: | Undecided → Low |
tags: | added: soyuz-publish |
Changed in debian-installer (Ubuntu): | |
status: | New → Invalid |
no longer affects: | debian-installer (Ubuntu) |
I don't think we need to invent a new index file (the Index files you're referring to are mostly for pdiffs anyway). Why not just add an MD5SUMS.gpg alongside the existing MD5SUMS? That would be simple, sufficient, and straightforward. Alternatively, it would be OK to add the checksums of MD5SUMS itself to the Release file, although that seems a little awkward given that it's sometimes necessary for an archive admin to modify dists/* /main/installer -*/ directly and I would prefer it if those directories were self-contained rather than hooked into Release.
I've added SHA1SUMS and SHA256SUMS files for the next debian-installer upload.