[Bug 431790] Re: debian-installer images aren't signed in the archive
Loïc Minier
lool at dooz.org
Tue Jan 17 12:53:44 UTC 2012
*** This bug is a duplicate of bug 383044 ***
https://bugs.launchpad.net/bugs/383044
** No longer affects: debian-installer (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to debian-installer in Ubuntu.
https://bugs.launchpad.net/bugs/431790
Title:
debian-installer images aren't signed in the archive
Status in Launchpad itself:
Triaged
Bug description:
Binary package hint: debian-installer
Hi
debian-installer images, for instance netboot images, can be downloaded for karmic/armel at:
http://ports.ubuntu.com/ubuntu-ports/dists/karmic/main/installer-armel/current/images/
but these aren't signed by any gpg key anywhere (that I could find).
(This is also an issue in Debian.)
There are already MANIFEST and MD5SUMS files; I think we could create
an "Index" file which would have file names as in the MANIFEST list
combined with Sha1:, Sha256: and Md5sums:, perhaps something like
http://ftp.de.debian.org/debian/dists/unstable/main/i18n/Index. This
Index file would be hashed in the Release file at
http://ports.ubuntu.com/ubuntu-ports/dists/karmic/Release which has a
detached signature Release.gpg.
Debian has some Index files in
http://ftp.de.debian.org/debian/dists/unstable/Release but I don't
know whether Soyuz supports them; would be trivial to implement
though.
Does this look like a good plan? Any security issue with this
approach?
Bye,
To manage notifications about this bug go to:
https://bugs.launchpad.net/launchpad/+bug/431790/+subscriptions
More information about the foundations-bugs
mailing list