On 12/13/13, Ralf Mardorf <ralf.mard...@alice-dsl.net> wrote: > On Fri, 2013-12-13 at 12:27 +1100, Scott Ferguson wrote: >> - you can also use the installer to self-check. > > If it's compromised a self-check could be done compared with what ever > source.
True. But have you done a self-check. This a first step: check SHAs. OR self-check the digital signature of the Release.gpg file for your release (eg Jessie). See eg .../debian?/dists/jessie/Release.gpg Your next step is to satisfy yourself that the signature/fingerprint of the key you are using for self-checking of a CD for example, is "safe". So you need a sense of safety from the Debian Developers and their network or not-network servers. This is a "take for granted" type thing for me at the moment. The next level of improvement in your sense of "safety" of the archive signing key, is to check its fingerprint on eg, this site: > http://www.debian.org/CD/verify.en.html > http://www.debian.org/CD/verify.de.html eg: " pub 4096R/64E6EA7D 2009-10-03 Key fingerprint = 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D uid Debian CD signing key <debian...@lists.debian.org> " For example, if you check the Debian signing key fingerprint from a few random Debian mirrors, perhaps through a TOR proxy to some overseas/ other country Debian mirror website, then you should be _reasonably_ comfortable at that point, that the key fingerprint on your machine or on your particular CD ISO, is in fact the "real Debian" one. The next level of improvement in your sense of safety regarding a particular key (you are concerned that global internet monitoring and NSA/KGB/etc bodies are all colluding to present to you a FAKE debian archive signing key, from ALL the websites you have accessed, via whichever network transport layers (direct through ISP, proxy through TOR etc) you have checked through), is to physically build your GPG "web of trust" or "chain of trust" - eg, host a keysigning party, and invite a Debian Developer in your area. At this point, your efforts would probably be best spent working to become a debian developer, and to assist with development and auditing of various "important" packages in the Debian archive. You also might consider to rebuild various "important" packages and libraries, eg GnuPG and those libs which do MD5 and SHAx hashing, and verifying that you can create bit-identical versions, or at least re-run your SHA and signature verification process using your custom build libraries, and making sure you get the same verifications. At that point, you might install some very old version of Debian (from say 7 years ago), then build the libraries required to build the "modern" libraries (or rather, library versions) for your SHA and GPG sig key checking, and check your modern iso/archive veracity on that old Debian installation. At this point, you should have a pretty high level of certainty around the veracity of the GPG keys and signatures and SHA signatures etc. Good luck :) Zenaan -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caosgnstzu3a0mhxa2zt_xr1pnwnb5+z55emgy5-bxbnhcqq...@mail.gmail.com
