←back to thread

Tiny Core Linux: a 23 MB Linux distro with graphical desktop

(www.tinycorelinux.net)
518 points LorenDB | 2 comments | 06 Dec 25 14:18 UTC | HN request time: 0s | source
Show context
hypeatei ◴[06 Dec 25 15:07 UTC] No.46173879[source]
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
replies(4): >>46173917 #>>46173924 #>>46173945 #>>46174299 #
firesteelrain ◴[06 Dec 25 15:13 UTC] No.46173917[source]
Not foolproof. Could compute MD5 or SHA256 after downloading.
replies(1): >>46174009 #
hypeatei ◴[06 Dec 25 15:23 UTC] No.46174009[source]
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

replies(1): >>46174044 #
maccard ◴[06 Dec 25 15:27 UTC] No.46174044{3}[source]
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
replies(2): >>46174066 #>>46174206 #
hypeatei ◴[06 Dec 25 15:30 UTC] No.46174066{4}[source]
An integrity check is better than nothing, but yes it says nothing about its authenticity.
replies(3): >>46174149 #>>46174162 #>>46174365 #
firesteelrain ◴[06 Dec 25 15:40 UTC] No.46174162{5}[source]
You can use this site

https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here

https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

Under a HTTPS connection. I am not at a terminal to check the cert with OpenSSL.

I don’t see any way to check the hash OOB

Also this same thing came up a few years ago

https://www.linuxquestions.org/questions/linux-newbie-8/reli...

replies(1): >>46174420 #
maccard ◴[06 Dec 25 16:13 UTC] No.46174420{6}[source]
Is that actually tiny core? It’s _likely_ it is, but that’s not good enough.

> this same thing came up a few years ago

Honestly, that makes this inexcusable. There are numerous SSL providers available for free, and if that’s antithetical to them, they can use a self signed certificate and provide an alternative method of verification (e.g. via mailing list). The fact they don’t take this seriously means there is 0 chance I would install it!

Honestly, this is a great use for a blockchain…

replies(1): >>46174548 #
1. firesteelrain ◴[06 Dec 25 16:29 UTC] No.46174548{7}[source]
I usually only install on like a Raspberry Pi or VM for these toy distros

Are any distros using block chain for this ?

I am used to using code signing with HSMs

replies(1): >>46175360 #
2. maccard ◴[06 Dec 25 18:19 UTC] No.46175360[source]
I’d install it as a VM maybe,

> are any sisters using blockchain

I don’t think so, but it’s always struck me as a good idea - it’s actual decentralised verification of a value that can be confirmed by multiple people independently without trusting anyone other than the signing key is secure.

> I am used to code signing with HSMs

Me too, but that requires distributing the public key securely which… is exactly where we started this!