Bug 12180 - GPG Signing of IPfire releases
Summary: GPG Signing of IPfire releases
Status: CLOSED DUPLICATE of bug 11345
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: Web Site (show other bugs)
Version: unspecified
Hardware: unspecified Unspecified
: - Unknown - Security
Assignee: Michael Tremer
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-09-13 21:04 UTC by gpatel-fr
Modified: 2019-09-13 21:19 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description gpatel-fr 2019-09-13 21:04:50 UTC 
Currently the IPfire releases have available Hashes allowing to verifying the download integrity on this page:
https://www.ipfire.org/download/ipfire-2.23-core135

Other distros are going further and allowing to verify the integrity of the hashes themselves, for example:
http://releases.ubuntu.com/bionic/
The hashes are stored in files and there are gpg files allowing to verify that the hashes (and the iso themselves) are originating from the developers, in case of the web page being hacked or of dns poisoning.

Ubuntu is not an isolated case, see for example
https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/
https://getfedora.org/en/security/
https://alpinelinux.org/downloads/
http://mirrors.evowise.com/archlinux/iso/2019.09.01/

While this is not a pressing matter, I think that this would enhance ipfire standing and remove a small motivation for hackers to target ipfire, knowing that the hacked image could be detected relatively easily.
Comment 1 gpatel-fr 2019-09-13 21:19:07 UTC 
After posting this bug I noticed that it was already present.
Comment 2 gpatel-fr 2019-09-13 21:19:35 UTC 

*** This bug has been marked as a duplicate of bug 11345 ***