On Mon, Jul 08, 2024 at 22:24:13 +0500, 타토카 wrote:

Hello, dear Debian Community. I have several questions:
1. Are all subscriptions to Debian free?

Debian is Free Software. You are allowed to download it, in both binary
and source forms, without requiring a subscription, or a license, other
than the Free Software licenses that apply to each part of Debian.

There are a few different Free Software licenses, and mostly they just
reaffirm your rights to use and to distribute the software. One of
them, the GNU General Public License, prevents you from placing any
additional restrictions on the software if you distribute it to other
people. (If you aren't distributing the software to other people, then
none of this matters to you.)

If you want to pay for support, there are some companies who might provide
such a service, but those would be independent of Debian.

2. How to check Debian Image Authentication? Is checksum verification (sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?

https://www.debian.org/CD/verify

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 08, 2024 at 10:24:13PM +0500, 타토카 wrote:

Hello, dear Debian Community. I have several questions:
1. Are all subscriptions to Debian free?
2. How to check Debian Image Authentication? Is checksum verification (sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?

Most of your questions are addressed here:

https://www.debian.org/

Yes, Debian is a free operating system, meaning that you are allowed
to use, modify and give the software to others, as long as you limit
yourself to the "free" repository. Other licenses may apply to the
"non-free" section.

Here's how you verify downloaded installation media:

https://www.debian.org/CD/verify

Packaes are signed, the package manager takes care of verifying their signatures before install:

https://www.debian.org/doc/manuals/securing-debian-manual/deb-pack-sign.en.html

Enjoy
--
tomás

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZowlQQAKCRAFyCz1etHa RqYLAJoDiSznuv4/Og3DRQ6G/JbTaZGzQQCfcwpZUSZYJGhBvds+xa2Ke43QnoU=
=WKe5
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

타토카 wrote:

Hello, dear Debian Community. I have several questions:
1. Are all subscriptions to Debian free?

Yes. There are non-Debian businesses which can sell you support,
if you like, but Debian software is all free.

2. How to check Debian Image Authentication? Is checksum verification (sha216sum, sha512sum) enough? Should I verify with GPG? If so, how can I
do that? Or can you give me any additional advice to do right verification?

Verify a downloaded image with the checksum:

https://www.debian.org/CD/verify

After that, package updates from Debian HTTPS sources will be
good.

-dsr-

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

cybertatoka@gmail.com wrote:

2. How to check Debian Image Authentication?
Is checksum verification (sha216sum, sha512sum) enough?

Only if you are trusting the site from where you downloaded the ISO.
In that case you'd use the checksums in the files SHA256SUMS and
SHA512SUMS as mere control whether the download delivered what the server operators intended.

Should I verify with GPG?

The signatures in the files SHA256SUMS.sign and SHA512SUMS.sign verify that
the checksums in SHA256SUMS and SHA512SUMS are authorized by the Debian developers who are in charge of image production.

Verify them by e.g.

gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS

and look out for the text,

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
...
Primary key fingerprint: DF9B 9C49 EAA9 2984 3258 9D76 DA87 E80D 6294 BE9B

First occuruence of this fingerprint in my mailbox is Oct 10 2015.

On
https://www.debian.org/CD/verify
there are two more valid keys published which would yield:

gpg: Good signature from "Debian CD signing key <debian-cd@lists.debian.org>"
Primary key fingerprint: 1046 0DAD 7616 5AD8 1FBC 0CE9 9880 21A9 64E6 EA7D

gpg: Good signature from "Debian Testing CDs Automatic Signing Key <debian-cd@lists.debian.org>"
Primary key fingerprint: F41D 3034 2F35 4669 5F65 C669 4246 8F40 09EA 8AC3

Both have their first occurence in my mailbox at Feb 16 2020.

If you see one of these texts, then you may assume the checksum files to
be valid (or the fingerprints to be undetected falsifications since years).
But if you see deviations in the fingerprint lines then this would be very suspicious.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 8 Jul 2024 22:24 +0500, from cybertatoka@gmail.com (타토카):

1. Are all subscriptions to Debian free?

Others have already pointed out that Debian is free, but I want to
note that this question seems to be based on a misunderstanding.

The fact is that there are no "subscriptions" to Debian, in the
typical sense.

Some people voluntarily _donate_ to the Debian project to help cover
costs, provide hardware, etc., and the Debian project solicits such
donations in various ways. Some are members for example of this
mailing list and give back to the community by answering other
peoples' questions. Some contribute bug reports, code or documentation
changes either to correct errors or to improve clarity. Some introduce
their friends, family and relatives to free software and offer
hands-on help. Some companies provide services at a lower price to
people who are active in the Debian project, or to the Debian project
itself.

But there is absolutely no requirement to do any of this.

Some companies do offer _support contracts_ that cover Debian, and
particularly other companies tend to like this because it gives them
somewhere to call if they have a problem. But you don't need to have
anything like that to use Debian, or contribute in various ways.

You can just download, install and use it. :-)

--
Michael Kjörling 🔗 https://michael.kjorling.se “Remember when, on the Internet, nobody cared that you were a dog?”

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Jul 09, 2024 at 00:15:00 +0500, 타토카 wrote:

Thank you all for your answers.
1. But I mean subscriptions like this "debian-user":) But I really like
your answers about Debian's freedom. I think it is useful information. Thanks.

The debian-user mailing list is open to all who wish to contribute to it,
as long as they abide by the list's code of conduct. There is no fee
involved. On the other hand, any answers you get here are "use at your
own risk", as they are coming from random people on the Internet.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

cybertatoka@gmail.com wrote:

    2.2. I have done then: gpg --keyserver keyring.debian.org --verify SHA512SUMS.sign SHA512SUMS
    2.3. Then I have got next info: Signed was made in 30 june 2024
    And RSA key: DF9B9C49EAA9298432589D76DA87E80D6294BE9B
I have compared 2011 's key and mine and they are the same.

The key string looks good, indeed.

But is it a good idea to do that? Or do I need to download the open key and then compare them?

It would suffice for me. If you know more ways to verify that the
signature belongs to Debian, then apply them. Just to be sure.

And is verification with SHA512SUMS.sign and SHA512SUMS enough? Should I do the same actions with SHA216SUMS.sign and SHA216SUMS?

It is general belief that faking a SHA-512 checksum is not feasible,
currently. Faking both, SHA-512 and SHA-256 would be even more difficult.
So check both and raise loud alarm if one matches and the other does not.


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Tue, Jul 09, 2024 at 12:15:00AM +0500, 타토카 wrote:

I mean subscriptions like this "debian-user"

The only cost associated with this mailing list is your sanity.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/8/24 17:20, Andy Smith wrote:

Hi,

On Tue, Jul 09, 2024 at 12:15:00AM +0500, 타토카 wrote:

I mean subscriptions like this "debian-user"

The only cost associated with this mailing list is your sanity.

+1, Andy. Some of us get downright upset with the Karens that think they
run this all volunteer show. I've unfortunately come to the conclusion
they are best ignored. Generally, they don't seem to be members of a
civil society, or to be able to learn how to treat their fellow man.
Your monitoring, and howto corrections are much appreciated, thank you.

Thanks,
Andy

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 08, 2024 at 06:08:49PM -0400, gene heskett wrote:

On 7/8/24 17:20, Andy Smith wrote:

Hi,

On Tue, Jul 09, 2024 at 12:15:00AM +0500, 타토카 wrote:

I mean subscriptions like this "debian-user"

The only cost associated with this mailing list is your sanity.

+1, Andy. Some of us get downright upset with the Karens that think they run this all volunteer show. I've unfortunately come to the conclusion they are best ignored. Generally, they don't seem to be members of a civil society,
or to be able to learn how to treat their fellow man. Your monitoring, and howto corrections are much appreciated, thank you.

Thanks,
Andy

All contributions by any Andy gratefully received on this list. There
are also all sorts of people contributing to - and reading - this list. Sometimes, even the worst of the passers by and trolls improve.

Please don't stoop to characterising others too readily as you might
dissuade somebody from contributing who could be really valuable.

All the very best, as ever,

Andy
(amacater@debian.org)

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/8/24 19:02, Andrew M.A. Cater wrote:

On Mon, Jul 08, 2024 at 06:08:49PM -0400, gene heskett wrote:

On 7/8/24 17:20, Andy Smith wrote:

Hi,

On Tue, Jul 09, 2024 at 12:15:00AM +0500, 타토카 wrote:

I mean subscriptions like this "debian-user"

The only cost associated with this mailing list is your sanity.

+1, Andy. Some of us get downright upset with the Karens that think they run >> this all volunteer show. I've unfortunately come to the conclusion they are >> best ignored. Generally, they don't seem to be members of a civil society, >> or to be able to learn how to treat their fellow man. Your monitoring, and >> howto corrections are much appreciated, thank you.

Thanks,
Andy

All contributions by any Andy gratefully received on this list. There
are also all sorts of people contributing to - and reading - this list. Sometimes, even the worst of the passers by and trolls improve.

Please don't stoop to characterising others too readily as you might
dissuade somebody from contributing who could be really valuable.

All quite true Andy. But you may have noted that I only speak up from
personal experience from having done it myself, not always in the
approved way.

All the very best, as ever,

Andy
(amacater@debian.org)

Take care & stay well, Andy.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

.

Cheers, Gene Heskett, CET.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jul 11, 2024 at 16:47:45 +0500, 타토카 wrote:

Why 64 signatures not checked and no ultimately trusted keys found here:
$ gpg --import key-DA87E80D6294BE9B.txt
gpg: key DA87E80D6294BE9B: 64 signatures not checked due to missing keys
gpg: key DA87E80D6294BE9B: public key "Debian CD signing key <debian-cd@lists.debian.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: no ultimately trusted keys found

And this:
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
owner.

Because you haven't established a chain of trust from yourself to any
of the signatures.

You've downloaded this key from the Internet. And it's signed by 64
other keys. That's all you know. You have no idea whether any of those
64 signing keys are trustworthy.

At some point, you have to say "This is good enough." And then you move
on with your life, either installing Debian from the image that you have,
or not.

You've already done far more verification than most people do.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

cybertatoka@gmail.com wrote:

gpg: WARNING: This key is not certified with a trusted signature!

That's normal. The concept of a "web of trust" suffers from the fact
that most people which i know good enough to trust them in general
have no idea of PGP and thus are not really trustworthy in special.
https://en.wikipedia.org/wiki/Web_of_trust

The best verification you can get outside the web of trust is the
key fingerprint which must match one of the published fingerprints on
https://www.debian.org/CD/verify
I deem them trustworthy because they did not change in years.

(Cryptographers might object that old keys are poor keys. But they will
also be right with telling you that cryptography is a minefield and thus amateurs like us should stay away from it.)

And can you explain to me what is it, please?
$ alias | grep sha
alias sha1='/usr/bin/openssl dgst -sha1 '
alias sha256='/usr/bin/openssl dgst -sha256 '
alias sha512='/usr/bin/openssl dgst -sha512 '

Shell commands "sha1", "sha256", and "sha512" were somewhere defined to actually be runs of program /usr/bin/openssl with the checksum algorithms
given by the command names.

Usually people get told to use shell commands "sha256sum" and "sha512sum"
which are supposed to run the programs /usr/bin/sha256sum and /usr/bin/sha512sum from package "coreutils".

In order to find out from where the "alias" definitions stem, you will
have to check the startup scripts of your shell. Like ~/.bashrc .


Have a nice day :)

Thomas

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Jul 11, 2024 at 17:23:43 +0500, 타토카 wrote:

But, what do you mean: "Because you haven't established a chain of trust
from yourself to any of the signatures."

Imagine someone walks up to you on the street and hands you a contract,
which is signed by someone you've never heard of.

You don't know the guy who gave you the contract. You've never seen him before. So, you don't trust him.

You can do a little bit of research on the person whose signature is on
the contract. Maybe she's famous. You look her up on the Internet, and
it turns out that she's well known in certain circles. If her signature
is on this contract, then the contract is probably worth something.

But how do you know whether this is really her signature, or a forgery?

If you knew her in person, you could go to her office, ask her to sign something in your presence, and compare her signature to the one you see
on the contract.

But you don't know her in person. She lives really far away, and she's
too important and too busy to want to spend a lot of time signing blank
pieces of paper for people like you anyway.

But maybe you know someone who knows her. Your lawyer friend -- maybe
he's worked with her before. He might know what her signature looks
like. He might be able to tell you whether the signature on the contract
is valid.

So, you go to your lawyer friend, and you show him the contract, and
he says "Yeah, that looks legit."

Now you know what her signature looks like, or at least you've got
verification from a source that you trust.

Is it only for Debian developers? And is it very important?

In theory, anybody can attend a key signing party, and get in-person verification of various GPG keys. Once you've got a few keys from
people that you trust, your web of trust expands.

If you've got a trusted key from Joe Smith, and Joe Smith says he
trusts a key belonging to Sara Jones, and Sara Jones says she trusts
the Debian signing key that you're trying to verify, then you have a
chain of trust from yourself, to Joe, to Sara, to the Debian key.

In practice, very few people do this, because it's a LOT of effort.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Jul 11, 2024, Greg Wooledge wrote:

On Thu, Jul 11, 2024 at 17:23:43 +0500, 타토카 wrote:

But, what do you mean: "Because you haven't established a chain of trust from yourself to any of the signatures."

Imagine someone walks up to you on the street and hands you a contract,
which is signed by someone you've never heard of.

You don't know the guy who gave you the contract. You've never seen him before. So, you don't trust him. [...]

I always liked the analogy of schoolwork / notes.

Say you missed last Friday's class, and you need the notes (where "the
notes" correspond to "the pgp key in question").

Scenario A: "untrusted" ("website with a link / posted fingerprint")
You run into someone from class, who you don't really know all that
well, but you do know they answer the professor pretty often (and
correctly at that).

Scenario B: "web of trust" ("one or more trusted signatures on that key") Nearly the same as "A", but the other person is a friend-of-a-friend.
You can ask your friend when you meet them for lunch if you can trust
the classmate's notes.

Scenario C: "fully trusted" ("you made the effort to verify the owner")
You ask you best friend since second grade for their notes. You know
they've been an "A" student since forever, and they take amazing notes.



--
|_|O|_|
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: DDAB 23FB 19FA 7D85 1CC1 E067 6D65 70E5 4CE7 2860

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE3asj+xn6fYUcweBnbWVw5UznKGAFAmaP4tgACgkQbWVw5Uzn KGBKig/+IlZc1SMS3G/Dt59y2wL8RwPjj2ICV9Jb3sHKtOauGGhT3BBCqdXQvTBH cb6dZwOYr6YTBc5ilHp8rV+wotgBm22LY2xcvspgpozzmHscZRHIb5IgH3zHv99j V4vrfAqlJK8tYHeli1SLXLPBDwaY/I9OOvAVJCtHB6OkAhS1GWqhi9MAw91d6kNE hrN+50258aQRgNl/MudhySsQGS3NN3NXNXxMkqRaWD9fGCK04wdkGigtcb9BAE+o jT0vYcxJMPt1/Mf8ncKyI3aP3YeY9DLdjCGqp2sMl0QF7GO0PHKkTJTrKFB6if5P wx8c/P7XtJup3UUQ5MP9Bms91qbKqh1gKExrCJkS4mVFguBFIw4yxCc21Rn/ymcO EVOSmBsuIZB+XRLxRFEo06mkAyZhnLcvjEbNqVC/oQPpBqD58SmdUhLWkLHY1PVO /Z6KaUN0lMoGtsd0ivpML0/WtlrPlo9KWlD0mvinZ8sIwaZoItEJin56uqYJva5I U0PQcyZ5LEcsQuo+rPeNuLrWstHkMscTJeoNwTjxfQooUMJRR1sJJNCpnCsta54P +QEB7+l6oCPUBAIxFuBhm8KP7h0RjuK6cVRfqoWF6shw7azOMaMZfQF7BJAxpKHA x9Nu4h8MGyWzWs/Ep8OjbMwtf0qipD7luQrOxCQ3Jd3lLxohC+w=
=qQq7
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Us