Email or username:

Password:

Forgot your password?
Top-level
Space

@marcan excuse my ignorance, but can you explain why the distro model is less secure? are you hinting at control of mirrors not run by the distro itself and mirrors not serving via https? anything else i missed? (not trying to be a smart ass, just trying to get the full picture)

1 comment
Hector Martin

@space Yes, the problem is distros that continue using the "random third party mirror" model to distribute their installers/ISOs. Even if they consistently use HTTPS, it's much easier to compromise a random mirror since they are run by many third parties. Of course when they do this they invariably offer at least a SHA hash of the iso or something on the primary website, but most people don't check that.

Random third party mirrors are fine for automated install systems that verify signatures without user interaction (e.g. package repositories), but I consider it an antipattern in this day and age for direct user distribution because the vast majority of users that don't verify anything will be exposed to the attack surface of countless third parties. For Asahi we use a commercial CDN, so there is a single point of compromise (and if you hack into Bunny.net or Amazon there are probably juicier targets than us).

We could further improve this by making the bootstrap script a trust root that verifies everything else directly, and serving it from an even more tightly controlled server, though we don't do that today (yet).

@space Yes, the problem is distros that continue using the "random third party mirror" model to distribute their installers/ISOs. Even if they consistently use HTTPS, it's much easier to compromise a random mirror since they are run by many third parties. Of course when they do this they invariably offer at least a SHA hash of the iso or something on the primary website, but most people don't check that.

Go Up