←back to thread

Tiny Core Linux: a 23 MB Linux distro with graphical desktop

(www.tinycorelinux.net)
518 points LorenDB | 3 comments | 06 Dec 25 14:18 UTC | HN request time: 0.022s | source
Show context
hypeatei ◴[06 Dec 25 15:07 UTC] No.46173879[source]
The site doesn't have HTTPS and there doesn't seem to be any mention of signatures on the downloads page. Any way to check it hasn't been MITM'd?
replies(4): >>46173917 #>>46173924 #>>46173945 #>>46174299 #
firesteelrain ◴[06 Dec 25 15:13 UTC] No.46173917[source]
Not foolproof. Could compute MD5 or SHA256 after downloading.
replies(1): >>46174009 #
hypeatei ◴[06 Dec 25 15:23 UTC] No.46174009[source]
And compare it against what?

EDIT: nevermind, I see that it has the md5 in a text file here: http://www.tinycorelinux.net/16.x/x86/release/

replies(1): >>46174044 #
maccard ◴[06 Dec 25 15:27 UTC] No.46174044{3}[source]
Which is served from the same insecure domain. If the download is compromised you should assume the hash from here is too.
replies(2): >>46174066 #>>46174206 #
firesteelrain ◴[06 Dec 25 15:46 UTC] No.46174206{4}[source]
There is a secure domain to download from as a mirror. For extra high security, the hash should be delivered OOB like on a mailing list but it isn’t
replies(1): >>46175398 #
maccard ◴[06 Dec 25 18:22 UTC] No.46175398{5}[source]
Where is that mirror linked from? If for the HTTP site that’s no better than downloading it from the website in the first place.

> for extra high security,

No, sending the hash on a mailing list and delivering downloads over https is the _bare minimum_ of security in this day and age.

replies(1): >>46177165 #
1. firesteelrain ◴[06 Dec 25 22:29 UTC] No.46177165{6}[source]
You can use this site https://distro.ibiblio.org/tinycorelinux/downloads.html

And all the files are here https://distro.ibiblio.org/tinycorelinux/16.x/x86/release/

I posted that above in this thread.

I will add that most places, forums, sites don’t deliver the hash OOB. Unless you mean like GPG but that would have came from same site. For example if you download a Packer plugin from GitHub, files and hash all comes from same site.

replies(1): >>46183096 #
2. maccard ◴[07 Dec 25 16:55 UTC] No.46183096[source]
> I will add that most places, forums, sites don’t deliver the hash OOB. Unless you mean like GPG but that would have came from same site. For example if you download a Packer plugin from GitHub, files and hash all comes from same site.

This thread started by talking about the site serving the download (and hash) over http. Github serves their content over https, so you're not going to be MITM'ed. There are other attack vectors, but if the delivery of the content you're downloading is compromised/MITM'ed, you've lost.

replies(1): >>46184525 #
3. firesteelrain ◴[07 Dec 25 19:50 UTC] No.46184525[source]
If you want real integrity + provenance, you need a GPG-signed ISO and a public key obtained independently (or at least via HTTPS). Hashes alone aren’t a security measure; HTTPS + signatures are the modern minimum.