[PVE-User] HTTPS for download.proxmox.com

Francesco Ongaro francesco.ongaro at isgroup.it
Thu Nov 30 18:12:13 CET 2017


On 30/11/2017 16:44, Fabian Grünbichler wrote:
>> Francesco Ongaro <francesco.ongaro at isgroup.it> hat am 30. November 2017 um 16:34 geschrieben:
>> You are right until you install something manually using dpkg.
>>
>> Example:
>>
>> http://download.proxmox.com/temp/pve-kernel-4.13.4-1-pve_4.13.4-26~vmxtest1_amd64.deb
> 
> for which I posted the hash sums on the channel where it was linked (the forum[1]), which is - surprise - only available over TLS ;) this thread is starting to get ridiculous..
> 
> 1: https://forum.proxmox.com/threads/pve-5-1-kvm-broken-on-old-cpus.37666/#post-185463

Hi Fabian,

I think that good security is implemented by overlapping multiple
controls while keeping the workflow simple and convenient for end
users.

When the cost is low it's often a no-brainer to implement a security
control.

Checking hashes manually is certainly doable, maybe not that convenient.

Sorry to sound ridiculous to you[1], my opinion is that being able to
communicate in a professional way is a nice skill to cultivate.

Best regards,
Francesco

[1] https://wiki.debian.org/SummerOfCode2013/StudentApplications/FabianG

"I am an advocat of free and open source software as well as meaningful
security solutions for everyone (such as accessable encrypted
communication methods and secure information storage)."

-- 
Francesco Ongaro, Senior Security Researcher
ISGroup: Information Security Group (www.isgroup.it)
Tel       (+39) 045 4853232
Fax       (+39) 045 5111719
Voicemail (+39) 02 320624653

AVVISO PRIVACY

Il contenuto della presente e-mail ed i suoi allegati, sono diretti
esclusivamente al destinatario e devono ritenersi riservati, con
divieto di diffusione o di uso non conforme alle finalità per le quali
la presente e-mail è stata inviata.

Pertanto, ne è vietata la diffusione e la comunicazione da parte di
soggetti diversi dal destinatario, ai sensi degli artt. 616 e ss. c.p.
e D.lgs n. 196/03 Codice Privacy.

Se la presente e-mail ed i suoi allegati sono stati ricevuti per
errore, siete pregati di distruggere quanto ricevuto e di informare il
mittente al seguente recapito: isgroup at isgroup.it


More information about the pve-user mailing list