undefined | Better HN

0 pointsyebyen11y ago0 comments

If you know how to verify the signatures properly, that would work. I'm thinking if you don't know that, and if you're willing to do what you just described, you probably don't really care about these CVEs anyway.

0 comments

pwnna11y ago

Can't you also just verify the sha256 from debian's site? I wrote a script here: https://gist.github.com/shuhaowu/286e6681d6faa473ebb0

yebyenOP11y ago

sha256 doesn't provide any web-of-trust; if your download is compromised, the sha-sums that you download to verify them could also be compromised in the same way. If the crypto signatures are verified and your installed keyring is genuine (came from a genuine installation media), then you know that the packages you installed (and their signatures) actually came from the Debian project.

That being said, you can try verifying the sha256 and you might catch "them" that way if they didn't think of that.

pwnna11y ago

Well I got the sha256 from the debian site, which is HTTPS secured, which I assume is uncompromised because of this vulnerability, correct? Or am I missing something here?

1 more reply

j / k navigate · click thread line to collapse

0 pointsyebyen11y ago0 comments

0 comments

pwnna11y ago

Can't you also just verify the sha256 from debian's site? I wrote a script here: https://gist.github.com/shuhaowu/286e6681d6faa473ebb0

yebyenOP11y ago

That being said, you can try verifying the sha256 and you might catch "them" that way if they didn't think of that.

pwnna11y ago

Well I got the sha256 from the debian site, which is HTTPS secured, which I assume is uncompromised because of this vulnerability, correct? Or am I missing something here?

1 more reply

j / k navigate · click thread line to collapse