Page MenuHomeVyOS Platform

PGP key and verifying procedure (or a link to it) should be added to the website
Closed, ResolvedPublic

Description

There's a fairly unlikely but not impossible scenario: a malicious mirror maintainer or an attacker replaces all content of a mirror with a self-built image and corresponding PGP key and signatures. This will not work for upgrading images downloaded from valid mirrors (unless the user chooses to ignore the signature check), but can affect people who download the image and install from scratch.

Those who install for the first time should have an easy way to get the authoritative key, and find out which download site is the authoritative one too.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.x ; 1.3
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

syncer removed syncer as the assignee of this task.Dec 23 2016, 9:04 AM
syncer added a subscriber: syncer.
syncer added a project: Restricted Project.Jun 10 2018, 12:25 PM
syncer added a subscriber: Maintainers.
s.lorente closed this task as Resolved.May 4 2020, 4:30 PM
s.lorente set Version to 1.2.x ; 1.3.
s.lorente set Is it a breaking change? to Unspecified (possibly destroys the router).
pasik added a subscriber: pasik.May 4 2020, 6:51 PM