zlacker

[return to "Tiny Core Linux: a 23 MB Linux distro with graphical desktop"]
1. hypeat+m5[view] [source] 2025-12-06 15:07:49
>>LorenD+(OP)
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
◧◩
2. firest+Y5[view] [source] 2025-12-06 15:13:35
>>hypeat+m5
Not foolproof. Could compute MD5 or SHA256 after downloading.
◧◩◪
3. hypeat+s7[view] [source] 2025-12-06 15:23:26
>>firest+Y5
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

◧◩◪◨
4. maccar+18[view] [source] 2025-12-06 15:27:53
>>hypeat+s7
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
◧◩◪◨⬒
5. firest+Da[view] [source] 2025-12-06 15:46:35
>>maccar+18
There is a secure domain to download from as a mirror. For extra high security, the hash should be delivered OOB like on a mailing list but it isn’t
◧◩◪◨⬒⬓
6. maccar+Rt[view] [source] 2025-12-06 18:22:40
>>firest+Da
Where is that mirror linked from? If for the HTTP site that’s no better than downloading it from the website in the first place.

> for extra high security,

No, sending the hash on a mailing list and delivering downloads over https is the _bare minimum_ of security in this day and age.

[go to top]