Tiny Core Linux: a 23 MB Linux distro with graphical desktop

1. hypeatei ◴[06 Dec 25 15:07 UTC] No.46173879[source]▶

The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?

replies(4): >>46173917 #>>46173924 #>>46173945 #>>46174299 #

2. firesteelrain ◴[06 Dec 25 15:13 UTC] No.46173917[source]▶

>>46173879 (TP) #

Not foolproof. Could compute MD5 or SHA256 after downloading.

replies(1): >>46174009 #

3. lysace ◴[06 Dec 25 15:14 UTC] No.46173924[source]▶

>>46173879 (TP) #

Ideas to decrease risk of MITM:

Download from at least one more location (like some AWS/GCP instance) and checksum.

Download from the Internet Archive and checksum:

https://web.archive.org/web/20250000000000*/http://www.tinyc...

4. Y_Y ◴[06 Dec 25 15:16 UTC] No.46173945[source]▶

>>46173879 (TP) #

https://github.com/tinycorelinux

5. hypeatei ◴[06 Dec 25 15:23 UTC] No.46174009[source]▶

>>46173917 #

And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

replies(1): >>46174044 #

6. maccard ◴[06 Dec 25 15:27 UTC] No.46174044{3}[source]▶

>>46174009 #

Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.

replies(2): >>46174066 #>>46174206 #

7. hypeatei ◴[06 Dec 25 15:30 UTC] No.46174066{4}[source]▶

>>46174044 #

An integrity check is better than nothing, but yes it says nothing about its authenticity.

replies(3): >>46174149 #>>46174162 #>>46174365 #

8. embedding-shape ◴[06 Dec 25 15:39 UTC] No.46174149{5}[source]▶

>>46174066 #

An integrity check where both what you're checking and the hash you're checking against is literally not better than nothing if you're trying to prevent downloading compromised software. It'd flag corrupted downloads at least, so that's cool, but for security purposes the hash for a artifact has to be served OOB.

replies(1): >>46174476 #

9. firesteelrain ◴[06 Dec 25 15:40 UTC] No.46174162{5}[source]▶

>>46174066 #

You can use this site

https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here

https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

Under a HTTPS connection. I am not at a terminal to check the cert with OpenSSL.

I don’t see any way to check the hash OOB

Also this same thing came up a few years ago

https://www.linuxquestions.org/questions/linux-newbie-8/reli...

replies(1): >>46174420 #

10. firesteelrain ◴[06 Dec 25 15:46 UTC] No.46174206{4}[source]▶

>>46174044 #

There is a secure domain to download from as a mirror. For extra high security, the hash should be delivered OOB like on a mailing list but it isn’t

replies(1): >>46175398 #

11. throwaway984393 ◴[06 Dec 25 15:59 UTC] No.46174299[source]▶

>>46173879 (TP) #

Because there's big demand to mitm users of an extremely small and limited distribution from 2008?

replies(1): >>46177031 #

12. maccard ◴[06 Dec 25 16:07 UTC] No.46174365{5}[source]▶

>>46174066 #

It’s not better than nothing - it’s arguably worse.

13. maccard ◴[06 Dec 25 16:13 UTC] No.46174420{6}[source]▶

>>46174162 #

Is that actually tiny core? It’s _likely_ it is, but that’s not good enough.

> this same thing came up a few years ago

Honestly, that makes this inexcusable. There are numerous SSL providers available for free, and if that’s antithetical to them, they can use a self signed certificate and provide an alternative method of verification (e.g. via mailing list). The fact they don’t take this seriously means there is 0 chance I would install it!

Honestly, this is a great use for a blockchain…

replies(1): >>46174548 #

14. uecker ◴[06 Dec 25 16:20 UTC] No.46174476{6}[source]▶

>>46174149 #

It is better than nothing if you note it down. You can compare it later if somebody / or you was compromised to see whether you had the same download as everyone else.

replies(1): >>46174977 #

15. firesteelrain ◴[06 Dec 25 16:29 UTC] No.46174548{7}[source]▶

>>46174420 #

I usually only install on like a Raspberry Pi or VM for these toy distros

Are any distros using block chain for this ?

I am used to using code signing with HSMs

replies(1): >>46175360 #

16. maccard ◴[06 Dec 25 17:26 UTC] No.46174977{7}[source]▶

>>46174476 #

Sorry but this is nonsense. It’s better than nothing if you proactively log the hashes before you need them, but it’s actively harmful for anyone wi downloads it after it’s compromised.

replies(1): >>46175887 #

17. maccard ◴[06 Dec 25 18:19 UTC] No.46175360{8}[source]▶

>>46174548 #

I’d install it as a VM maybe,

> are any sisters using blockchain

I don’t think so, but it’s always struck me as a good idea - it’s actual decentralised verification of a value that can be confirmed by multiple people independently without trusting anyone other than the signing key is secure.

> I am used to code signing with HSMs

Me too, but that requires distributing the public key securely which… is exactly where we started this!

18. maccard ◴[06 Dec 25 18:22 UTC] No.46175398{5}[source]▶

>>46174206 #

Where is that mirror linked from? If for the HTTP site that’s no better than downloading it from the website in the first place.

> for extra high security,

No, sending the hash on a mailing list and delivering downloads over https is the _bare minimum_ of security in this day and age.

replies(1): >>46177165 #

19. uecker ◴[06 Dec 25 19:21 UTC] No.46175887{8}[source]▶

>>46174977 #

"It is better than nothing" is literally what I said. But thinking about it more, I actually think is quite useful. Any kind of signature or out-of-band hash is also only good if the source is not compromised, but knowing after the fact whether you are affected or not is extremely valuable.

20. debo_ ◴[06 Dec 25 22:13 UTC] No.46177031[source]▶

>>46174299 #

I swear to god. Won't somebody think of the yaks.

replies(1): >>46178355 #

21. firesteelrain ◴[06 Dec 25 22:29 UTC] No.46177165{6}[source]▶

>>46175398 #

You can use this site https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

I posted that above in this thread.

I will add that most places, forums, sites don’t deliver the hash OOB. Unless you mean like GPG but that would have came from same site. For example if you download a Packer plugin from GitHub, files and hash all comes from same site.

replies(1): >>46183096 #

22. lysace ◴[07 Dec 25 01:18 UTC] No.46178355{3}[source]▶

>>46177031 #

And their shavers.

23. maccard ◴[07 Dec 25 16:55 UTC] No.46183096{7}[source]▶

>>46177165 #

> I will add that most places, forums, sites don’t deliver the hash OOB. Unless you mean like GPG but that would have came from same site. For example if you download a Packer plugin from GitHub, files and hash all comes from same site.

This thread started by talking about the site serving the download (and hash) over http. Github serves their content over https, so you're not going to be MITM'ed. There are other attack vectors, but if the delivery of the content you're downloading is compromised/MITM'ed, you've lost.

replies(1): >>46184525 #

24. firesteelrain ◴[07 Dec 25 19:50 UTC] No.46184525{8}[source]▶

>>46183096 #

If you want real integrity + provenance, you need a GPG-signed ISO and a public key obtained independently (or at least via HTTPS). Hashes alone aren’t a security measure; HTTPS + signatures are the modern minimum.