[sf-lug] Linux Mint iso files hacked.
Rick Moen
rick at linuxmafia.com
Mon Feb 22 00:12:51 PST 2016
Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
> Yes, you make good points about the relative (un)importantce of the
> various pieces present - and missing. Perhaps I was quite meaning to
> imply, but didn't explicitly state, more generally their relatively
> lackadaisical (in)actions regarding assurances of the integrity of
> ISO downloads. [...]
Just a brief note to say thanks and that we're also in agreement.
It's vexing that Linux Mint has a record of half-assedness about this
matter. Let's hope that they have been shocked into doing the missing
30% of the job -- because they actually have most of it. The only truly
missing bit is attestation of the signing key (as far as I can tell).
The rest is there, just badly managed.
> It's not like I and others hadn't given them sufficient prodding
> on it earlier, e.g.:
> http://blog.linuxmint.com/?p=2361#comment-93804
Yeah, it's like Clem either didn't understand your point or ignored it.
> And ... https? Yes, wouldn't have done anything for *this* particular
> issue, but does generally thwart *other* problems.
Out of curiosity, what specific use-case (applies to this particular example)?
On many Web sites, encrypted transport buys little for lack of need for
confidentiality, and authentication is either relatively unimportant or
is better achieved in other ways for relevant content (e.g., gpg-signed
checksums for ISOs).
More information about the sf-lug
mailing list