I saw a question like this posted some while ago, but not in this section where I think it should have been.
In these days of NSA tapping international cables, hijacking downloads, and possible much much more. You only publish MD5 Hashes of the iso files. I'm sure there is some kind of internal package verification done when an install is being done, and I suspect the development team actually probably have and use the GPG signatures for your own verification purposes. So how come you don't publish them.
MD5 hashes have been known to be insecure for a long time. Fedora and even Ubuntu publish an assortment of hashes that are much more secure that MD5, and then sign them with a the Fedora or Ubuntu GPG Release Key.
This is a quote from wikipedia re: "MD5 Hashes"
..."Also in 2004 more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable — specifically, a group of researchers described how to create a pair of files that share the same MD5 checksum."
Please don't misunderstand, I'm not being nasty. I'm an ex-windows user, and am purposely moving away from windows for security reasons. So would just like to know why.
Where are the GPG Signatures?
Forum rules
Do not post support questions here. Before you post read: Where to post ideas & feature requests
Do not post support questions here. Before you post read: Where to post ideas & feature requests
-
eanfrid
Re: Where are the GPG Signatures?
Those MD5 hashes are not there to authenticate the files but to ensure that the file was downloaded/written-on-disk without error. So yes, another way to authenticate the iso files is needed, since GPG is already used in the repos.
Edit: BTW Debian publishes GPG signatures, SHA-1, SHA256 and SHA512 hashes in addition to MD5 hashes.
Edit: BTW Debian publishes GPG signatures, SHA-1, SHA256 and SHA512 hashes in addition to MD5 hashes.