←back to thread

Tiny Core Linux: a 23 MB Linux distro with graphical desktop

(www.tinycorelinux.net)
518 points LorenDB | 1 comments | 06 Dec 25 14:18 UTC | HN request time: 0s | source
Show context
hypeatei ◴[06 Dec 25 15:07 UTC] No.46173879[source]
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
replies(4): >>46173917 #>>46173924 #>>46173945 #>>46174299 #
firesteelrain ◴[06 Dec 25 15:13 UTC] No.46173917[source]
Not foolproof. Could compute MD5 or SHA256 after downloading.
replies(1): >>46174009 #
hypeatei ◴[06 Dec 25 15:23 UTC] No.46174009[source]
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

replies(1): >>46174044 #
maccard ◴[06 Dec 25 15:27 UTC] No.46174044{3}[source]
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
replies(2): >>46174066 #>>46174206 #
hypeatei ◴[06 Dec 25 15:30 UTC] No.46174066{4}[source]
An integrity check is better than nothing, but yes it says nothing about its authenticity.
replies(3): >>46174149 #>>46174162 #>>46174365 #
1. maccard ◴[06 Dec 25 16:07 UTC] No.46174365{5}[source]
It’s not better than nothing - it’s arguably worse.