General TC > General TC Talk
tinycorelinux.net does not support SSL, Chrome blocks downloads
curaga:
A signed extension implies the extension itself can be trusted. It would be trivial for a Jia Tan (see the recent xz news) to contribute a compromised extension, which would then be signed.
Dies Irae:
Thanks for your clarification. With the utmost respect (really), I'd personally only 'trust' the signify to show that I obtained the binary that is in the repository. After all, with the same xz example, that could still have been in our repo (if someone in good faith had compiled and submitted it).
A more 'glaring' bad extension would hopefully have more eyeballs (Not only the person that somewhat skimmed what was submitted, but also the other users (by usage) of the extension).
It would only guarantee that whatever is currently in the repo, is what I got, be it good, or bad.
Who knows, a fair poll could shed some light on what 'the masses' think about the subject. You may be very right that they would mis-perceive it's purpose (what it does, and doesn't add/do).
mrodrigues:
SSL certs are about more than just encrypting traffic. They help establish that the web server is run by the same organization who manages the DNS record. This lets you be reasonably assured your connection is not being man-in-the-middled.
This is particularly helpful when downloading an operating system, as with no HTTPS, it would be trivial to MitM and spoof the TC download site with a malicious installer.
IMO, it's pretty ridiculous that a site serving OS downloads isn't using HTTPS in the letsencrypt era.
curaga:
Many of our mirrors offer https. If you worry about MITM, please download from those.
nick65go:
http vs. https is just the peek of the iceberg (MITM corruption).
Looking over the process to grab a package for Alpine Linux:
Here below in the context, package/application is equivalent of Tinycore TCZ.
1. For each CPU Architecture (ex: x86_64) they have an list (index) of the programs (like TCZ) that they offer. This list/index is SHA1 signed, it means that no alien contributions/packages (similar with TCZ) could arrive on the server (with different file size, time stamp, etc). Only from verified contributors.
2. Each TCZ/package is also SHA1 signed, to check if the package was modified during download.
3. In the package, each FILE is SHA1 signed (has PAX header in TAR segments), so even if the package was correctly downloaded, it can not be inside tampered (back doors).
FYI: Other advantages:
4. There is only one version of a library. Ex: if an application depends on some *.so (ex: ABC.so.10) when ABC is updated (to ABC.so.20) then ALL appls that depends on it will be also updated/recompiled. So the will be no case that a dependency of a dependency to drag both/multiple versions of ABC.so in a dependency tree. [or to load both like in tinycore when using FlaxPdf and Xpdf].
Minimalism/simplicity is not equivalent with security, but it helps a little by reducing attack surface and the possible bugs/back-doors.
Navigation
[0] Message Index
[*] Previous page
Go to full version