zlacker

[return to "Tiny Core Linux: a 23 MB Linux distro with graphical desktop"]
1. hypeat+m5[view] [source] 2025-12-06 15:07:49
>>LorenD+(OP)
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
◧◩
2. firest+Y5[view] [source] 2025-12-06 15:13:35
>>hypeat+m5
Not foolproof. Could compute MD5 or SHA256 after downloading.
◧◩◪
3. hypeat+s7[view] [source] 2025-12-06 15:23:26
>>firest+Y5
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

◧◩◪◨
4. maccar+18[view] [source] 2025-12-06 15:27:53
>>hypeat+s7
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
◧◩◪◨⬒
5. hypeat+n8[view] [source] 2025-12-06 15:30:44
>>maccar+18
An integrity check is better than nothing, but yes it says nothing about its authenticity.
◧◩◪◨⬒⬓
6. firest+V9[view] [source] 2025-12-06 15:40:53
>>hypeat+n8
You can use this site

https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here

https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

Under a HTTPS connection. I am not at a terminal to check the cert with OpenSSL.

I don’t see any way to check the hash OOB

Also this same thing came up a few years ago

https://www.linuxquestions.org/questions/linux-newbie-8/reli...

◧◩◪◨⬒⬓⬔
7. maccar+5e[view] [source] 2025-12-06 16:13:22
>>firest+V9
Is that actually tiny core? It’s _likely_ it is, but that’s not good enough.

> this same thing came up a few years ago

Honestly, that makes this inexcusable. There are numerous SSL providers available for free, and if that’s antithetical to them, they can use a self signed certificate and provide an alternative method of verification (e.g. via mailing list). The fact they don’t take this seriously means there is 0 chance I would install it!

Honestly, this is a great use for a blockchain…

◧◩◪◨⬒⬓⬔⧯
8. firest+9g[view] [source] 2025-12-06 16:29:57
>>maccar+5e
I usually only install on like a Raspberry Pi or VM for these toy distros

Are any distros using block chain for this ?

I am used to using code signing with HSMs

◧◩◪◨⬒⬓⬔⧯▣
9. maccar+ft[view] [source] 2025-12-06 18:19:15
>>firest+9g
I’d install it as a VM maybe,

> are any sisters using blockchain

I don’t think so, but it’s always struck me as a good idea - it’s actual decentralised verification of a value that can be confirmed by multiple people independently without trusting anyone other than the signing key is secure.

> I am used to code signing with HSMs

Me too, but that requires distributing the public key securely which… is exactly where we started this!

[go to top]