[sf-lug] (forw) Re: (forw) Re: Something new on Distrowatch and Ubuntu variants.

Rick Moen rick at linuxmafia.com
Mon Apr 26 20:15:30 PDT 2021

Bobbie wrote:

> Assuming the stupid hackers have put a trojan in the iso file, and
> added the checksum for the bad iso file, what is to keep them from
> falsifying the signature as well?

The fact that you have established a meaningful trust path to do so.

You acquired the development team PGP signing key in a way that gives
you meaningful grounds for belief that it is genuine, if only because,
say, it's now 2021 and you got the keyring directly from what you
believed to be the developer site in 2015, six years ago, it has been
unchanged in the developer's Web pages and source code repository all
the time since then, and you have reasonable faith that over six years
some alert person would have noticed the fake signing key.

This is not playing-around imitation of the outer appearance of
security, Bobbie.  This is _actual_, serious security.  The details have
been gone over by experts in extreme detail with a skeptical eye.

If you decide "Well, it can't actually be serious", then you lose -- and
so does anyone who makes the mistake of trusting your ISOs (without

> For many long years signatures were not available and my iso files
> generally worked.


Only extremely rare distro ISOs have failed to provide release
sigatures, e.g., Linux Mint at first was that lax.  They learned the
hard way that this was a really bad idea.

Bobbie, kindly do not try to convince me of things that are
spectacularly wrong about Linux distributions.  I've been at this for a
very, very long time, and unlike you have actually been part of a team
of distro maintainers.

> I have seen viruses on Windows and boot viruses on Amiga.  On Windows
> I caught them with ClamAV from one or another of the numerous
> distributions I used to run.  When I first got acquainted with Linux I
> tried out lots of distributions.  On the Amiga with an Amiga specific
> anti-Virus software which I downloaded and there were no checksums
> much less signatures at all in those days.  The virus arrived on the
> bootblock of an 'on floppy disk' magazine.  I informed the publisher
> and he corrected the problem.

That's very nice, but utterly irrelevant and misses the point.  
You would not be able to detect a trojaned distro ISO using AV software
(in general), for reasons that should be obvious.  Moreover, it's far
simpler to just validate PGP signatures, which also actually works.

I'm not going to keep debunking irrelevancies, Bobbie.  If you wish to
keep spewing justifications for an outright negligent blunder, that is
your problem, not mine, and I am not going to work my fingers to the
bone trying to teach someone who is refusing to listen.

> A downloaded Iso may match checksums and signatures and still be
> unusable due to corrupted install scripts and I have been dealing with
> such over the past few months.

This _obviously_ is by definition irrelevant to the discussion.  Neither
checksums nor developer release signatures aspire to ensure that the
contents of a distribution is un-buggy, merely that the download is
uncorrupted in transit and is genuinely what the developer(s) released.

You already knew that, so why are you wasting everyone's time blowing
smoke that you know is completely irrelevant?

> Oh and if members are nervous about the iso files and image files I
> download then they can get the checksum and the signature files and
> check the isos themselve.

They can indeed compensate after the fact for your negligence and lack
of due diligence.

I merely called your attention to your negligence and lack of due

> Have a good afternoon all who are reading...

But you carelessly sent it offlist in private mail.  Again.

More information about the sf-lug mailing list