zlacker

>>LorenD+(OP)
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?

>>hypeat+m5
Not foolproof. Could compute MD5 or SHA256 after downloading.

>>firest+Y5
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

>>hypeat+s7
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.

>>maccar+18
An integrity check is better than nothing, but yes it says nothing about its authenticity.

>>hypeat+n8
You can use this site

https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here

https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

Under a HTTPS connection. I am not at a terminal to check the cert with OpenSSL.

I don’t see any way to check the hash OOB

Also this same thing came up a few years ago

https://www.linuxquestions.org/questions/linux-newbie-8/reli...

>>firest+V9
Is that actually tiny core? It’s _likely_ it is, but that’s not good enough.

> this same thing came up a few years ago

Honestly, that makes this inexcusable. There are numerous SSL providers available for free, and if that’s antithetical to them, they can use a self signed certificate and provide an alternative method of verification (e.g. via mailing list). The fact they don’t take this seriously means there is 0 chance I would install it!

Honestly, this is a great use for a blockchain…

>>maccar+5e
I usually only install on like a Raspberry Pi or VM for these toy distros

Are any distros using block chain for this ?

I am used to using code signing with HSMs