[sf-lug] trust the sites I download from

Michael Paoli Michael.Paoli at cal.berkeley.edu
Mon Apr 26 17:11:18 PDT 2021


Ah, good thing you take your computer on-site to these sites to download,
plug your Ethernet cable in directly to the site, so you don't have to
worry about anything bad happening between your client and there server
or need be concerned about trusting what's between where you're
downloading and the site you're downloading from.

Oh, ... you're not doing that?
Well, then you check the gpg signature of the ISO (or of secure hash
of the ISO, and independently compute secure hash of that ISO and
check for match), so that you don't have to worry about a
bad ISO (and even matching hash) on a compromised site ... as happened
before, on, oh, e.g. Linux Mint - is that a site you'd actually trust or
have trusted before?  Could name others, but that's just one example.
Oh, and in the case of Linux Mint, there wasn't a valid gpg signature
from the Mint Linux author(s)/project that would show the compromised
ISO as good (or likewise for secure hash of that compromised ISO).

"Of course", at that time, Linux Mint was being stupid and not signing
nor providing any trust path to the ISOs ... but if they had, folks
would'a picked up on that being compromised right away.  But at
least after Linux Mint got burned by that, they then corrected the error
of their ways (I and others told 'em before ... but did they listen? ... no
only after they got burned ... "oops").

So, yeah, don't take a distro seriously if they won't provide a suitable trust
path to verify the data (e.g. ISOs).  And, ... that trust path is provided
for a reason - so one can verify it!  Otherwise, well, it's untrusted data.

Oh, and when I get ISOs from Bobbie (or most anyone), I validate 'em against
the trust path.  And by trust path, I mean a secure way to get from
validated known good secure digital signature of author(s)/project,
to the software/ISOs - e.g. ISO or packages, software, etc.

Oh, and bonus - you validate it, you can get the data from anywhere!
There are these things called mirrors, and bittorrent, etc. to ease the
load/burden from the projects and their sites, so others can help with
that ... do you trust them?  Do you trust hundreds of bittorrent
seeders?  Well, you don't need to, because you validate what you

Oh, yeah, too, good to be a seeder ... give back, help reduce load on the
project's servers (and their mirrors).

| Filename                                          Size   Download     
  Upload |
| debian-10.4.0-amd64-i386-netinst.iso          616.0  M   0    B/s    
0    B/s |
| ^---  download succeeded!                                0.0  M      
0.0  M   |
| debian-10.4.0-i386-xfce-CD-1.iso              642.0  M   0    B/s    
0    B/s |
| ^---  download succeeded!                                0.0  M      
0.0  M   |
| debian-10.8.0-amd64-xfce-CD-1.iso             695.0  M   0    B/s    
0    B/s |
| ^---  download succeeded!                                0.0  M    
217.7  M   |
| debian-10.9.0-amd64-xfce-CD-1.iso             696.0  M   0    B/s    
0    B/s |
| ^---  download succeeded!                                0.0  M      
2.2  G   |
|                                                Totals:   0    B/s    
0    B/s |
|                                                          0.0  M      
2.4  G   |
| New torrent: debian-10.9.0-amd64-xfce-CD-1.iso.torrent                

> From: "Rick Moen" <rick at linuxmafia.com>
> Subject: [sf-lug] (forw) Re: Something new on Distrowatch and Ubuntu  
> variants.
> Date: Mon, 26 Apr 2021 16:10:03 -0700

> Seems to have accidentally drifted into private mail.
> Date: Mon, 26 Apr 2021 15:45:12 -0700
> From: Bobbie Sellers <bliss-sf4ever at dslextreme.com>
> To: Rick Moen <rick at linuxmafia.com>
> Subject: Re: [sf-lug] Something new on Distrowatch and Ubuntu variants.
>     No I trust the sites I download from.
>     If their checksum matches the file I downloaded I consider it secure.

More information about the sf-lug mailing list