On Fri, Dec 7, 2018 at 9:07 PM Fabiano Fidêncio wrote: > > http://ftp.debian.org/debian/dists/stretch/Release > > There's one problem with this file. It's not underneath the install tree URL. > Our use case is that a user would provide an arbitrary install tree > URL and we'd need to identify which OS it corresponds to. This > arbitrary tree URL can be a mirror of the content on any 3rd party > site. > > > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/current/images/SHA256SUMS > > This one could be used if we'd have the "Description" entry as we do > in http://ftp.debian.org/debian/dists/stretch/Release > Do you think that adding the "Description" entry to the > current/images/SHA256SUMS file would be easier/more secure than adding > the ".treeinfo" file under > http://ftp.debian.org/debian/dists/stretch/main/installer-amd64/ ?
These two files are to be used together like this: Fetch the Release/Release.gpg files (or InRelease). Verify the OpenPGP signature. Use the metadata in the Release file. Get the path to the installer hash files from the Release file. Download the installer hash files. Verify the hash in the Release file matches the installer hash files. Download the installer files you're interested in. Verify the hash in the installer hash files matches the installer files. If you had apt available to you, I think it could be made to do some parts of this for you based solely on the sources.list file. The other thing is that we generally don't expose the files you are looking at to users, we generally recommend folks use the netinst ISO, which is on another server altogether: https://www.debian.org/ https://www.debian.org/distrib/ https://www.debian.org/CD/ https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-9.6.0-amd64-netinst.iso -- bye, pabs https://wiki.debian.org/PaulWise
