Page MenuHomeVyOS Platform
Create Task
Maniphest T163

PGP key and verifying procedure (or a link to it) should be added to the website
Closed, ResolvedPublic
Actions

Description

There's a fairly unlikely but not impossible scenario: a malicious mirror maintainer or an attacker replaces all content of a mirror with a self-built image and corresponding PGP key and signatures. This will not work for upgrading images downloaded from valid mirrors (unless the user chooses to ignore the signature check), but can affect people who download the image and install from scratch.

Those who install for the first time should have an easy way to get the authoritative key, and find out which download site is the authoritative one too.

Details

Difficulty level
Easy (less than an hour)
Version
1.2.x ; 1.3
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

dmbaturin created this task.Sep 26 2016, 4:56 AM
syncer removed syncer as the assignee of this task.Dec 23 2016, 9:04 AM
syncer added a subscriber: syncer.
syncer added a project: Restricted Project.Jun 10 2018, 12:25 PM
syncer added a subscriber: Maintainers.
Unknown Object (User) added a subscriber: Unknown Object (User).May 4 2020, 4:28 PM

That was done.

https://docs.vyos.io/en/latest/install.html#download

Unknown Object (User) closed this task as Resolved.May 4 2020, 4:30 PM
Unknown Object (User) set Version to 1.2.x ; 1.3.
Unknown Object (User) set Is it a breaking change? to Unspecified (possibly destroys the router).
pasik added a subscriber: pasik.May 4 2020, 6:51 PM